+
Object ID
Identifier of the user object corresponding to the authenticated user.
Object ID
Identifier of the user object corresponding to the authenticated user.
UPN
A claim containing the user principal name (UPN) of the authenticated user.
UPN
A claim containing the user principal name (UPN) of the authenticated user.
TID
A claim representing the tenant ID of the tenant. In the example above, it's Fabrikam.
TID
A claim representing the tenant ID of the tenant. In the example above, it's Fabrikam.
Resource
A sanitized URL representing the MDM application. Example, https://fabrikam.contosomdm.com.
Resource
A sanitized URL representing the MDM application. Example, https://fabrikam.contosomdm.com.
api-version
302
invalid_request
unsupported version
api-version
302
invalid_request
unsupported version
Tenant or user data are missing or other required prerequisites for device enrollment are not met
302
unauthorized_client
unauthorized user or tenant
Tenant or user data are missing or other required prerequisites for device enrollment are not met
302
unauthorized_client
unauthorized user or tenant
Azure AD token validation failed
302
unauthorized_client
unauthorized_client
Azure AD token validation failed
302
unauthorized_client
unauthorized_client
internal service error
302
server_error
internal service error
internal service error
302
server_error
internal service error
MDM auto-discovery using email address to retrieve MDM discovery URL
Enrollment
Not applicable
+MDM auto-discovery using email address to retrieve MDM discovery URL
Enrollment
Not applicable
Discovery URL provisioned in Azure
Uses MDM discovery URL
Enrollment
+Uses MDM discovery URL
Enrollment
Enrollment renewal
ROBO
Enrollment
+Enrollment
Enrollment renewal
ROBO
Enrollment
+Enrollment
Enrollment renewal
ROBO
Is MDM enrollment required?
Yes
Yes
No
+Is MDM enrollment required?
Yes
Yes
No
User can decline.
Authentication type
OnPremise
+Authentication type
OnPremise
Federated
Certificate
Federated
Federated
Federated
Federated
EnrollmentPolicyServiceURL
Optional (all auth)
Optional (all auth)
+EnrollmentPolicyServiceURL
Optional (all auth)
Optional (all auth)
Optional (all auth)
+Optional (all auth)
EnrollmentServiceURL
Required (all auth)
Used (all auth)
Used (all auth)
EnrollmentServiceURL
Required (all auth)
Used (all auth)
Used (all auth)
EnrollmentServiceURL includes OS Version, OS Platform, and other attributes provided by MDM discovery URL
Highly recommended
Highly recommended
Highly recommended
EnrollmentServiceURL includes OS Version, OS Platform, and other attributes provided by MDM discovery URL
Highly recommended
Highly recommended
Highly recommended
AuthenticationServiceURL used
Used (Federated auth)
Skipped
Skipped
AuthenticationServiceURL used
Used (Federated auth)
Skipped
Skipped
BinarySecurityToken
Custom per MDM
Azure AD issued token
Azure AD issued token
BinarySecurityToken
Custom per MDM
Azure AD issued token
Azure AD issued token
EnrollmentType
Full
Device
Full
EnrollmentType
Full
Device
Full
Enrolled certificate type
User certificate
Device certificate
User certificate
Enrolled certificate type
User certificate
Device certificate
User certificate
Enrolled certificate store
My/User
My/System
My/User
Enrolled certificate store
My/User
My/System
My/User
CSR subject name
User Principal Name
Device ID
User Principal Name
CSR subject name
User Principal Name
Device ID
User Principal Name
EnrollmentData Terms of Use binary blob as AdditionalContext for EnrollmentServiceURL
Not supported
Supported
Supported
EnrollmentData Terms of Use binary blob as AdditionalContext for EnrollmentServiceURL
Not supported
Supported
Supported
CSPs accessible during enrollment
Windows 10 support:
+CSPs accessible during enrollment
Windows 10 support:
same as traditional MDM enrollment
same as traditional MDM enrollment
same as traditional MDM enrollment
same as traditional MDM enrollment
There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}
There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}
There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.
There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.
This user is not authorized to enroll. You can try to do this again or contact your system administrator with the error code {0}.
This user is not authorized to enroll. You can try to do this again or contact your system administrator with the error code {0}.
There was a certificate error. You can try to do this again or contact your system administrator with the error code {0}.
There was a certificate error. You can try to do this again or contact your system administrator with the error code {0}.
There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}
There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}
There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}
There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}
There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.
There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.
There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}
There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}
Another enrollment is in progress. You can try to do this again or contact your system administrator with the error code {0}.
Another enrollment is in progress. You can try to do this again or contact your system administrator with the error code {0}.
This device is already enrolled. You can contact your system administrator with the error code {0}.
This device is already enrolled. You can contact your system administrator with the error code {0}.
There was a certificate error. You can try to do this again or contact your system administrator with the error code {0}.
There was a certificate error. You can try to do this again or contact your system administrator with the error code {0}.
There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.
There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.
There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.
There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.
There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}
There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}
There was a certificate error. You can try to do this again or contact your system administrator with the error code {0}.
There was a certificate error. You can try to do this again or contact your system administrator with the error code {0}.
Looks like there are too many devices or users for this account. Contact your system administrator with the error code {0}.
Looks like there are too many devices or users for this account. Contact your system administrator with the error code {0}.
This feature is not supported. Contact your system administrator with the error code {0}.
This feature is not supported. Contact your system administrator with the error code {0}.
This feature is not supported. Contact your system administrator with the error code {0}.
This feature is not supported. Contact your system administrator with the error code {0}.
The server did not accept the request. You can try to do this again or contact your system administrator with the error code {0}.
The server did not accept the request. You can try to do this again or contact your system administrator with the error code {0}.
The service is in maintenance. You can try to do this again later or contact your system administrator with the error code {0}.
The service is in maintenance. You can try to do this again later or contact your system administrator with the error code {0}.
There was an error with your license. You can try to do this again or contact your system administrator with the error code {0}.
There was an error with your license. You can try to do this again or contact your system administrator with the error code {0}.
Looks like the server is not correctly configured. You can try to do this again or contact your system administrator with the error code {0}.
Looks like the server is not correctly configured. You can try to do this again or contact your system administrator with the error code {0}.
Your organization requires that you agree to the Terms of Use. Please try again or ask your support person for more information.
Your organization requires that you agree to the Terms of Use. Please try again or ask your support person for more information.
There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}
There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}
There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.
There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.
This user is not authorized to enroll. You can try to do this again or contact your system administrator with the error code {0}.
This user is not authorized to enroll. You can try to do this again or contact your system administrator with the error code {0}.
There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}
There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}
There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}
There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}
Looks like there are too many devices or users for this account. Contact your system administrator with the error code {0}.
Looks like there are too many devices or users for this account. Contact your system administrator with the error code {0}.
A reboot is required to complete device registration.
A reboot is required to complete device registration.
Looks like you have an invalid certificate. Contact your system administrator with the error code {0}.
Looks like you have an invalid certificate. Contact your system administrator with the error code {0}.
There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.
There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.
There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}
There was an error communicating with the server. You can try to do this again or contact your system administrator with the error code {0}
There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.
There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.
There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.
There was a problem authenticating your account or device. You can try to do this again or contact your system administrator with the error code {0}.
Optional. Integer. Specifies the default roaming value. Valid values are:
+Optional. Integer. Specifies the default roaming value. Valid values are:
-| BitLocker CSP | -Added support for Windows 10 Pro starting in the version 1809. + | BitLocker CSP | +Added support for Windows 10 Pro starting in the version 1809. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Office CSP | -Added FinalStatus setting in Windows 10, version 1809. + | Office CSP | +Added FinalStatus setting in Windows 10, version 1809. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| RemoteWipe CSP | -Added new settings in Windows 10, version 1809. + | RemoteWipe CSP | +Added new settings in Windows 10, version 1809. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| TenantLockdown CSP | -Added new CSP in Windows 10, version 1809. + | TenantLockdown CSP | +Added new CSP in Windows 10, version 1809. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| WindowsDefenderApplicationGuard CSP | -Added new settings in Windows 10, version 1809. + | WindowsDefenderApplicationGuard CSP | +Added new settings in Windows 10, version 1809. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Policy DDF file | -Posted an updated version of the Policy DDF for Windows 10, version 1809. + | Policy DDF file | +Posted an updated version of the Policy DDF for Windows 10, version 1809. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Policy CSP | -Added the following new policies in Windows 10, version 1809: + | Policy CSP | +Added the following new policies in Windows 10, version 1809:
AssignedAccess CSP |
-Added the following note: +AssignedAccess CSP |
+Added the following note: PassportForWork CSP |
-Added new settings in Windows 10, version 1809. +PassportForWork CSP |
+Added new settings in Windows 10, version 1809. EnterpriseModernAppManagement CSP |
-Added NonRemovable setting under AppManagement node in Windows 10, version 1809. +EnterpriseModernAppManagement CSP |
+Added NonRemovable setting under AppManagement node in Windows 10, version 1809. Win32CompatibilityAppraiser CSP |
-Added new configuration service provider in Windows 10, version 1809. +Win32CompatibilityAppraiser CSP |
+Added new configuration service provider in Windows 10, version 1809. WindowsLicensing CSP |
-Added S mode settings and SyncML examples in Windows 10, version 1809. +WindowsLicensing CSP |
+Added S mode settings and SyncML examples in Windows 10, version 1809. SUPL CSP |
-Added 3 new certificate nodes in Windows 10, version 1809. +SUPL CSP |
+Added 3 new certificate nodes in Windows 10, version 1809. Defender CSP |
-Added a new node Health/ProductStatus in Windows 10, version 1809. +Defender CSP |
+Added a new node Health/ProductStatus in Windows 10, version 1809. BitLocker CSP |
-Added a new node AllowStandardUserEncryption in Windows 10, version 1809. +BitLocker CSP |
+Added a new node AllowStandardUserEncryption in Windows 10, version 1809. DevDetail CSP |
-Added a new node SMBIOSSerialNumber in Windows 10, version 1809. +DevDetail CSP |
+Added a new node SMBIOSSerialNumber in Windows 10, version 1809. Policy CSP |
-Added the following new policies in Windows 10, version 1809: +Policy CSP |
+Added the following new policies in Windows 10, version 1809: Wifi CSP |
-Added a new node WifiCost in Windows 10, version 1809. +Wifi CSP |
+Added a new node WifiCost in Windows 10, version 1809. Diagnose MDM failures in Windows 10 |
-Recent changes: +Diagnose MDM failures in Windows 10 |
+Recent changes: BitLocker CSP |
-Added new node AllowStandardUserEncryption in Windows 10, version 1809. +BitLocker CSP |
+Added new node AllowStandardUserEncryption in Windows 10, version 1809. Policy CSP |
-Recent changes: +Policy CSP |
+Recent changes: WiredNetwork CSP |
-New CSP added in Windows 10, version 1809.
+ | WiredNetwork CSP |
+New CSP added in Windows 10, version 1809.
| |
Updated the DDF files in the Windows 10 version 1703 and 1709.
+Updated the DDF files in the Windows 10 version 1703 and 1709.
Added the following node in Windows 10, version 1803:
+Added the following node in Windows 10, version 1803:
Added the following node in Windows 10, version 1803:
+Added the following node in Windows 10, version 1803:
Added a new CSP in Windows 10, version 1803.
+Added a new CSP in Windows 10, version 1803.
Updated version available. MMAT is a tool you can use to determine which Group Policies are set on a target user/computer and cross-reference them against the list of supported MDM policies.
+Updated version available. MMAT is a tool you can use to determine which Group Policies are set on a target user/computer and cross-reference them against the list of supported MDM policies.
Added the DDF download of Windows 10, version 1803 configuration service providers.
+Added the DDF download of Windows 10, version 1803 configuration service providers.
Added the following new policies for Windows 10, version 1803:
+Added the following new policies for Windows 10, version 1803:
Added the following node in Windows 10, version 1803:
+Added the following node in Windows 10, version 1803:
Added the following node in Windows 10, version 1803:
+Added the following node in Windows 10, version 1803:
Added the following videos:
+Added the following videos:
Added a new CSP in Windows 10, version 1803.
+Added a new CSP in Windows 10, version 1803.
Added the following node in Windows 10, version 1803:
+Added the following node in Windows 10, version 1803:
Added the following new policies for Windows 10, version 1803:
+Added the following new policies for Windows 10, version 1803:
Added new section ServicesAllowedList usage guide.
+Added new section ServicesAllowedList usage guide.
Added SyncML examples and updated the settings descriptions.
+Added SyncML examples and updated the settings descriptions.
Reverted back to Windows 10, version 1709. Removed previous draft documentation for version 1803.
+Reverted back to Windows 10, version 1709. Removed previous draft documentation for version 1803.
Added the following new policies for Windows 10, version 1803:
+Added the following new policies for Windows 10, version 1803:
Updated the XSD and Plug-in profile example for VPNv2 CSP.
+Updated the XSD and Plug-in profile example for VPNv2 CSP.
Added the following nodes in Windows 10, version 1803:
+Added the following nodes in Windows 10, version 1803:
Updated the AssigneAccessConfiguration schema. Starting in Windows 10, version 1803 AssignedAccess CSP is supported in HoloLens (1st gen) Commercial Suite. Added example for HoloLens (1st gen) Commercial Suite.
Added a new CSP in Windows 10, version 1803.
+Added a new CSP in Windows 10, version 1803.
Added the following node in Windows 10, version 1803:
+Added the following node in Windows 10, version 1803:
Added the following new policies for Windows 10, version 1803:
+Added the following new policies for Windows 10, version 1803:
Security/RequireDeviceEncryption - updated to show it is supported in desktop.
Updated the description for AllowWarningForOtherDiskEncryption to describe changes added in Windows 10, version 1803.
+Updated the description for AllowWarningForOtherDiskEncryption to describe changes added in Windows 10, version 1803.
Added new node MaintainProcessorArchitectureOnUpdate in Windows 10, next major update.
+Added new node MaintainProcessorArchitectureOnUpdate in Windows 10, next major update.
Added ./User/Vendor/MSFT/DMClient/Provider/[ProviderID]/FirstSyncStatus node. Also added the following nodes in Windows 10, version 1803:
+Added ./User/Vendor/MSFT/DMClient/Provider/[ProviderID]/FirstSyncStatus node. Also added the following nodes in Windows 10, version 1803:
Added new node (OfflineScan) in Windows 10, version 1803.
+Added new node (OfflineScan) in Windows 10, version 1803.
Added a new CSP in Windows 10, version 1803.
+Added a new CSP in Windows 10, version 1803.
Added the following nodes in Windows 10, version 1803:
+Added the following nodes in Windows 10, version 1803:
Added new section CSP DDF files download
+Added new section CSP DDF files download
Added the following policies for Windows 10, version 1709:
+Added the following policies for Windows 10, version 1709:
Updated the DDF content for Windows 10 version 1709. Added a link to the download of Policy DDF for Windows 10, version 1709.
+Updated the DDF content for Windows 10 version 1709. Added a link to the download of Policy DDF for Windows 10, version 1709.
Updated the following policies:
+Updated the following policies:
Added new CSP in Windows 10, version 1709.
+Added new CSP in Windows 10, version 1709.
Added SyncML examples for the new Configuration node.
+Added SyncML examples for the new Configuration node.
Added new nodes to the DMClient CSP in Windows 10, version 1709. Updated the CSP and DDF topics.
+Added new nodes to the DMClient CSP in Windows 10, version 1709. Updated the CSP and DDF topics.
Added the following new policies for Windows 10, version 1709:
+Added the following new policies for Windows 10, version 1709:
Added new settings to Update/BranchReadinessLevel policy in Windows 10 version 1709.
Starting in Windows 10, version 1709, AssignedAccess CSP is also supported in Windows 10 Pro.
+Starting in Windows 10, version 1709, AssignedAccess CSP is also supported in Windows 10 Pro.
Windows Store for Business name changed to Microsoft Store for Business. Windows Store name changed to Microsoft Store.
+Windows Store for Business name changed to Microsoft Store for Business. Windows Store name changed to Microsoft Store.
The Windows 10 enrollment protocol was updated. The following elements were added to the RequestSecurityToken message:
+The Windows 10 enrollment protocol was updated. The following elements were added to the RequestSecurityToken message:
For examples, see section 4.3.1 RequestSecurityToken of the MS-MDE2 protocol documentation.
Added a SyncML example.
+Added a SyncML example.
Added RegisterDNS setting in Windows 10, version 1709.
+Added RegisterDNS setting in Windows 10, version 1709.
Added new topic to introduce a new Group Policy for automatic MDM enrollment.
+Added new topic to introduce a new Group Policy for automatic MDM enrollment.
New features in the Settings app:
+New features in the Settings app:
Added new step-by-step guide to enable ADMX-backed policies.
+Added new step-by-step guide to enable ADMX-backed policies.
Added the following statement:
+Added the following statement:
Updated the description of the PuposeGroups node to add the GUID for applications. This node is required instead of optional.
+Updated the description of the PuposeGroups node to add the GUID for applications. This node is required instead of optional.
Updated the Settings/EDPEnforcementLevel values to the following:
+Updated the Settings/EDPEnforcementLevel values to the following:
Added two new SyncML examples (to disable the calendar app and to block usage of the map app) in Allow list examples.
+Added two new SyncML examples (to disable the calendar app and to block usage of the map app) in Allow list examples.
Added the following settings in Windows 10, version 1709:
+Added the following settings in Windows 10, version 1709:
Added the following setting in Windows 10, version 1709:
+Added the following setting in Windows 10, version 1709:
Added the following new policies for Windows 10, version 1709:
+Added the following new policies for Windows 10, version 1709:
The root node for the CleanPC configuration service provider.
+The root node for the CleanPC configuration service provider.
**CleanPCWithoutRetainingUserData** -An integer specifying a CleanPC operation without any retention of user data. +
An integer specifying a CleanPC operation without any retention of user data. -
The only supported operation is Execute. +
The only supported operation is Execute. **CleanPCRetainingUserData** -
An integer specifying a CleanPC operation with retention of user data. +
An integer specifying a CleanPC operation with retention of user data. -
The only supported operation is Execute. +
The only supported operation is Execute. diff --git a/windows/client-management/mdm/cm-cellularentries-csp.md b/windows/client-management/mdm/cm-cellularentries-csp.md index 1d42413872..44886adee0 100644 --- a/windows/client-management/mdm/cm-cellularentries-csp.md +++ b/windows/client-management/mdm/cm-cellularentries-csp.md @@ -23,28 +23,28 @@ The following diagram shows the CM\_CellularEntries configuration service provid  ***entryname*** -
Defines the name of the connection.
+Defines the name of the connection.
-The CMPolicy configuration service provider uses the value of entryname to identify the connection that is associated with a policy and CM_ProxyEntries configuration service provider uses the value of entryname to identify the connection that is associated with a proxy.
+The CMPolicy configuration service provider uses the value of entryname to identify the connection that is associated with a policy and CM_ProxyEntries configuration service provider uses the value of entryname to identify the connection that is associated with a proxy.
**AlwaysOn** -Type: Int. Specifies if the Connection Manager will automatically attempt to connect to the APN when a connection is available. +
Type: Int. Specifies if the Connection Manager will automatically attempt to connect to the APN when a connection is available. -
A value of "0" specifies that AlwaysOn is not supported, and the Connection Manager will only attempt to connect to the APN when an application requests the connection. This setting is recommended for applications that use a connection occasionally, for example, an APN that only controls MMS. +
A value of "0" specifies that AlwaysOn is not supported, and the Connection Manager will only attempt to connect to the APN when an application requests the connection. This setting is recommended for applications that use a connection occasionally, for example, an APN that only controls MMS. -
A value of "1" specifies that AlwaysOn is supported, and the Connection Manager will automatically attempt to connect to the APN when it is available. This setting is recommended for general purpose Internet APNs. +
A value of "1" specifies that AlwaysOn is supported, and the Connection Manager will automatically attempt to connect to the APN when it is available. This setting is recommended for general purpose Internet APNs. -
There must be at least one AlwaysOn Internet connection provisioned for the mobile operator. +
There must be at least one AlwaysOn Internet connection provisioned for the mobile operator. **AuthType** -
Optional. Type: String. Specifies the method of authentication used for a connection. +
Optional. Type: String. Specifies the method of authentication used for a connection. -
A value of "CHAP" specifies the Challenge Handshake Application Protocol. A value of "PAP" specifies the Password Authentication Protocol. A value of "None" specifies that the UserName and Password parameters are ignored. The default value is "None". +
A value of "CHAP" specifies the Challenge Handshake Application Protocol. A value of "PAP" specifies the Password Authentication Protocol. A value of "None" specifies that the UserName and Password parameters are ignored. The default value is "None". **ConnectionType** -
Optional. Type: String. Specifies the type of connection used for the APN. The following connection types are available: +
Optional. Type: String. Specifies the type of connection used for the APN. The following connection types are available: -
OS upgrade |
-8 months |
-1 month |
-Upgrade - 3689BDC8-B205-4AF4-8D4A-A63924C5E9D5 |
+OS upgrade |
+8 months |
+1 month |
+Upgrade - 3689BDC8-B205-4AF4-8D4A-A63924C5E9D5 |
Update |
-1 month |
-1 week |
-
+ |
+Update |
+1 month |
+1 week
Note
If a machine has Microsoft Update enabled, any Microsoft Updates in these categories will also observe Defer / Pause logic.
@@ -361,10 +361,10 @@ If a machine has Microsoft Update enabled, any Microsoft Updates in these catego
| |
Other/cannot defer |
-No deferral |
-No deferral |
-Any update category not enumerated above falls into this category. + | Other/cannot defer |
+No deferral |
+No deferral |
+Any update category not enumerated above falls into this category. Definition Update - E0789628-CE08-4437-BE74-2495B842F43B |
BranchReadinessLevel |
-REG_DWORD |
-16: systems take Feature Updates on the Current Branch (CB) train + | BranchReadinessLevel |
+REG_DWORD |
+16: systems take Feature Updates on the Current Branch (CB) train 32: systems take Feature Updates on the Current Branch for Business Other value or absent: receive all applicable updates (CB) |
||
DeferQualityUpdates |
-REG_DWORD |
-1: defer quality updates + | DeferQualityUpdates |
+REG_DWORD |
+1: defer quality updates Other value or absent: don’t defer quality updates |
||
DeferQualityUpdatesPeriodInDays |
-REG_DWORD |
-0-30: days to defer quality updates |
+DeferQualityUpdatesPeriodInDays |
+REG_DWORD |
+0-30: days to defer quality updates |
||
PauseQualityUpdates |
-REG_DWORD |
-1: pause quality updates + | PauseQualityUpdates |
+REG_DWORD |
+1: pause quality updates Other value or absent: don’t pause quality updates |
||
DeferFeatureUpdates |
-REG_DWORD |
-1: defer feature updates + | DeferFeatureUpdates |
+REG_DWORD |
+1: defer feature updates Other value or absent: don’t defer feature updates |
||
DeferFeatureUpdatesPeriodInDays |
-REG_DWORD |
-0-180: days to defer feature updates |
+DeferFeatureUpdatesPeriodInDays |
+REG_DWORD |
+0-180: days to defer feature updates |
||
PauseFeatureUpdates |
-REG_DWORD |
-1: pause feature updates + | PauseFeatureUpdates |
+REG_DWORD |
+1: pause feature updates Other value or absent: don’t pause feature updates |
||
ExcludeWUDriversInQualityUpdate |
-REG_DWORD |
-1: exclude WU drivers + | ExcludeWUDriversInQualityUpdate |
+REG_DWORD |
+1: exclude WU drivers Other value or absent: offer WU drivers |
||
CONFIG_E_OBJECTBUSY |
-Another instance of the configuration management service is currently running. |
+CONFIG_E_OBJECTBUSY |
+Another instance of the configuration management service is currently running. |
||||
CONFIG_E_ENTRYNOTFOUND |
-No metabase entry was found. |
+CONFIG_E_ENTRYNOTFOUND |
+No metabase entry was found. |
||||
CONFIG_E_CSPEXCEPTION |
-An exception occurred in one of the configuration service providers. |
+CONFIG_E_CSPEXCEPTION |
+An exception occurred in one of the configuration service providers. |
||||
CONFIG_E_TRANSACTIONINGFAILURE |
-A configuration service provider failed to roll back properly. The affected settings might be in an unknown state. |
+CONFIG_E_TRANSACTIONINGFAILURE |
+A configuration service provider failed to roll back properly. The affected settings might be in an unknown state. |
||||
CONFIG_E_BAD_XML |
-The XML input is invalid or malformed. |
+CONFIG_E_BAD_XML |
+The XML input is invalid or malformed. |
Minimum supported client
None supported
Minimum supported client
None supported
Minimum supported server
None supported
Minimum supported server
None supported
Minimum supported phone
Windows Phone 8.1
Minimum supported phone
Windows Phone 8.1
Header
Dmprocessxmlfiltered.h
Header
Dmprocessxmlfiltered.h
Library
Dmprocessxmlfiltered.lib
Library
Dmprocessxmlfiltered.lib
DLL
Dmprocessxmlfiltered.dll
DLL
Dmprocessxmlfiltered.dll
Defines the root node for the DMSessionActions configuration service provider.
+Defines the root node for the DMSessionActions configuration service provider.
***ProviderID*** -Group settings per device management (DM) server. Each group of settings is distinguished by the Provider ID of the server. It must be the same DM server Provider ID value that was supplied through the w7 APPLICATION configuration service provider XML during the enrollment process. Only one enterprise management server is supported, which means there should be only one ProviderID node under NodeCache.
+Group settings per device management (DM) server. Each group of settings is distinguished by the Provider ID of the server. It must be the same DM server Provider ID value that was supplied through the w7 APPLICATION configuration service provider XML during the enrollment process. Only one enterprise management server is supported, which means there should be only one ProviderID node under NodeCache.
-Scope is dynamic. Supported operations are Get, Add, and Delete.
+Scope is dynamic. Supported operations are Get, Add, and Delete.
***ProviderID*/CheckinAlertConfiguration** -Node for the custom configuration of alerts to be sent during MDM sync session.
+Node for the custom configuration of alerts to be sent during MDM sync session.
***ProviderID*/CheckinAlertConfiguration/Nodes** -Required. Root node for URIs to be queried. Scope is dynamic.
+Required. Root node for URIs to be queried. Scope is dynamic.
-Supported operation is Get.
+Supported operation is Get.
***ProviderID*/CheckinAlertConfiguration/Nodes/*NodeID*** -Required. Information about each node is stored under NodeID as specified by the server. This value must not contain a comma. Scope is dynamic.
+Required. Information about each node is stored under NodeID as specified by the server. This value must not contain a comma. Scope is dynamic.
-Supported operations are Get, Add, and Delete.
+Supported operations are Get, Add, and Delete.
***ProviderID*/CheckinAlertConfiguration/Nodes/*NodeID*/NodeURI** -Required. The value is a complete OMA DM node URI. It can specify either an interior node or a leaf node in the device management tree. Scope is dynamic.
-Value type is string. Supported operations are Add, Get, Replace, and Delete.
+Required. The value is a complete OMA DM node URI. It can specify either an interior node or a leaf node in the device management tree. Scope is dynamic.
+Value type is string. Supported operations are Add, Get, Replace, and Delete.
**AlertData** -Node to query the custom alert per server configuration
-Value type is string. Supported operation is Get.
+Node to query the custom alert per server configuration
+Value type is string. Supported operation is Get.
**PowerSettings** -Node for power-related configrations
+Node for power-related configrations
**PowerSettings/MaxSkippedSessionsInLowPowerState** -Maximum number of continuous skipped sync sessions when the device is in low-power state.
-Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+Maximum number of continuous skipped sync sessions when the device is in low-power state.
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
**PowerSettings/MaxTimeSessionsSkippedInLowPowerState** -Maximum time in minutes when the device can skip the check-in with the server if the device is in low-power state.
-Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+Maximum time in minutes when the device can skip the check-in with the server if the device is in low-power state.
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
diff --git a/windows/client-management/mdm/dynamicmanagement-csp.md b/windows/client-management/mdm/dynamicmanagement-csp.md index 3716a1c54a..3b59ea0c12 100644 --- a/windows/client-management/mdm/dynamicmanagement-csp.md +++ b/windows/client-management/mdm/dynamicmanagement-csp.md @@ -33,12 +33,12 @@ DynamicManagement ----AlertsEnabled ``` **DynamicManagement** -The root node for the DynamicManagement configuration service provider.
+The root node for the DynamicManagement configuration service provider.
**NotificationsEnabled** -Boolean value for sending notification to the user of a context change.
-Default value is False. Supported operations are Get and Replace.
-Example to turn on NotificationsEnabled:
+Boolean value for sending notification to the user of a context change.
+Default value is False. Supported operations are Get and Replace.
+Example to turn on NotificationsEnabled:
```xmlA string containing the list of all active ContextIDs on the device. Delimeter is unicode character 0xF000..
-Supported operation is Get.
+A string containing the list of all active ContextIDs on the device. Delimeter is unicode character 0xF000..
+Supported operation is Get.
**Contexts** -Node for context information.
-Supported operation is Get.
+Node for context information.
+Supported operation is Get.
***ContextID*** -Node created by the server to define a context. Maximum number of characters allowed is 38.
-Supported operations are Add, Get, and Delete.
+Node created by the server to define a context. Maximum number of characters allowed is 38.
+Supported operations are Add, Get, and Delete.
**SignalDefinition** -Signal Definition XML.
-Value type is string. Supported operations are Add, Get, Delete, and Replace.
+Signal Definition XML.
+Value type is string. Supported operations are Add, Get, Delete, and Replace.
**SettingsPack** -Settings that get applied when the Context is active.
-Value type is string. Supported operations are Add, Get, Delete, and Replace.
+Settings that get applied when the Context is active.
+Value type is string. Supported operations are Add, Get, Delete, and Replace.
**SettingsPackResponse** -Response from applying a Settings Pack that contains information on each individual action.
-Value type is string. Supported operation is Get.
+Response from applying a Settings Pack that contains information on each individual action.
+Value type is string. Supported operation is Get.
**ContextStatus** -Reports status of the context. If there was a failure, SettingsPackResponse should be checked for what exactly failed.
-Value type is integer. Supported operation is Get.
+Reports status of the context. If there was a failure, SettingsPackResponse should be checked for what exactly failed.
+Value type is integer. Supported operation is Get.
**Altitude** -A value that determines how to handle conflict resolution of applying multiple contexts on the device. This is required and must be distinct of other priorities.
-Value type is integer. Supported operations are Add, Get, Delete, and Replace.
+A value that determines how to handle conflict resolution of applying multiple contexts on the device. This is required and must be distinct of other priorities.
+Value type is integer. Supported operations are Add, Get, Delete, and Replace.
**AlertsEnabled** -A Boolean value for sending an alert to the server when a context fails.
-Supported operations are Get and Replace.
+A Boolean value for sending an alert to the server when a context fails.
+Supported operations are Get and Replace.
## Examples diff --git a/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md b/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md index cfc9928a0b..bf6cf8cc1e 100644 --- a/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md +++ b/windows/client-management/mdm/enable-admx-backed-policies-in-mdm.md @@ -1,6 +1,6 @@ --- -title: Enable ADMX-backed policies in MDM -description: Use this step-by-step guide to configure a selected set of Group Policy administrative templates (ADMX-backed policies) in Mobile Device Management (MDM). +title: Enable ADMX policies in MDM +description: Use this step-by-step guide to configure a selected set of Group Policy administrative templates (ADMX policies) in Mobile Device Management (MDM). ms.author: dansimp ms.topic: article ms.prod: w10 @@ -12,30 +12,30 @@ ms.reviewer: manager: dansimp --- -# Enable ADMX-backed policies in MDM +# Enable ADMX policies in MDM -This is a step-by-step guide to configuring ADMX-backed policies in MDM. +Here's how to configure Group Policy administrative templates (ADMX policies) in Mobile Device Management (MDM). -Starting in Windows 10 version 1703, Mobile Device Management (MDM) policy configuration support was expanded to allow access of [selected set of Group Policy administrative templates (ADMX-backed policies)](./policies-in-policy-csp-admx-backed.md) for Windows PCs via the [Policy configuration service provider (CSP)](policy-configuration-service-provider.md). Configuring ADMX-backed policies in Policy CSP is different from the typical way you configure a traditional MDM policy. +Starting in Windows 10 version 1703, Mobile Device Management (MDM) policy configuration support was expanded to allow access of [selected set of Group Policy administrative templates (ADMX policies)](./policies-in-policy-csp-admx-backed.md) for Windows PCs via the [Policy configuration service provider (CSP)](policy-configuration-service-provider.md). Configuring ADMX policies in Policy CSP is different from the typical way you configure a traditional MDM policy. Summary of steps to enable a policy: -- Find the policy from the list ADMX-backed policies. +- Find the policy from the list ADMX policies. - Find the Group Policy related information from the MDM policy description. - Use the Group Policy Editor to determine whether there are parameters necessary to enable the policy. - Create the data payload for the SyncML. -See [Support Tip: Ingesting Office ADMX-backed policies using Microsoft Intune](https://techcommunity.microsoft.com/t5/Intune-Customer-Success/Support-Tip-Ingesting-Office-ADMX-Backed-policies-using/ba-p/354824) and [Deploying ADMX-Backed policies using Microsoft Intune](/archive/blogs/senthilkumar/intune-deploying-admx-backed-policies-using-microsoft-intune) for a walk-through using Intune. +See [Support Tip: Ingesting Office ADMX policies using Microsoft Intune](https://techcommunity.microsoft.com/t5/Intune-Customer-Success/Support-Tip-Ingesting-Office-ADMX-Backed-policies-using/ba-p/354824) and [Deploying ADMX policies using Microsoft Intune](/archive/blogs/senthilkumar/intune-deploying-admx-backed-policies-using-microsoft-intune) for a walk-through using Intune. ->[!TIP] ->Intune has added a number of ADMX-backed administrative templates in public preview. Check if the policy settings you need are available in a template before using the SyncML method described below. [Learn more about Intune's administrative templates.](/intune/administrative-templates-windows) + + ## Enable a policy > [!NOTE] -> See [Understanding ADMX-backed policies in Policy CSP](./understanding-admx-backed-policies.md). +> See [Understanding ADMX policies in Policy CSP](./understanding-admx-backed-policies.md). -1. Find the policy from the list [ADMX-backed policies](./policies-in-policy-csp-admx-backed.md). You need the following information listed in the policy description. +1. Find the policy from the list [ADMX policies](./policies-in-policy-csp-admx-backed.md). You need the following information listed in the policy description. - GP English name - GP name - GP ADMX file name @@ -63,7 +63,7 @@ See [Support Tip: Ingesting Office ADMX-backed policies using Microsoft Intune]( 3. Create the SyncML to enable the policy that does not require any parameter. - In this example you configure **Enable App-V Client** to **Enabled**. + In this example, you configure **Enable App-V Client** to **Enabled**. > [!NOTE] > The \ payload must be XML encoded. To avoid encoding, you can use CData if your MDM supports it. For more information, see [CDATA Sections](http://www.w3.org/TR/REC-xml/#sec-cdata-sect). If you are using Intune, select String as the data type. @@ -109,12 +109,12 @@ See [Support Tip: Ingesting Office ADMX-backed policies using Microsoft Intune](  - 3. Navigate to **C:\Windows\PolicyDefinitions** (default location of the admx files) and open appv.admx. + 3. Navigate to **C:\Windows\PolicyDefinitions** (default location of the ADMX files) and open appv.admx. 4. Search for GP name **Publishing_Server2_policy**. - 5. Under **policy name="Publishing_Server2_Policy"** you can see the \The root node for the EnterpriseAPN configuration service provider.
+The root node for the EnterpriseAPN configuration service provider.
**EnterpriseAPN/***ConnectionName* -Name of the connection as seen by Windows Connection Manager.
+Name of the connection as seen by Windows Connection Manager.
-Supported operations are Add, Get, Delete, and Replace.
+Supported operations are Add, Get, Delete, and Replace.
**EnterpriseAPN/*ConnectionName*/APNName** -Enterprise APN name.
+Enterprise APN name.
-Supported operations are Add, Get, Delete, and Replace.
+Supported operations are Add, Get, Delete, and Replace.
**EnterpriseAPN/*ConnectionName*/IPType** -This value can be one of the following:
+This value can be one of the following:
- IPv4 - only IPV4 connection type - IPv6 - only IPv6 connection type - IPv4v6 (default)- IPv4 and IPv6 concurrently. - IPv4v6xlat - IPv6 with IPv4 provided by 46xlat -Supported operations are Add, Get, Delete, and Replace.
+Supported operations are Add, Get, Delete, and Replace.
**EnterpriseAPN/*ConnectionName*/IsAttachAPN** -Boolean value that indicates whether this APN should be requested as part of an LTE Attach. Default value is false.
+Boolean value that indicates whether this APN should be requested as part of an LTE Attach. Default value is false.
-Supported operations are Add, Get, Delete, and Replace.
+Supported operations are Add, Get, Delete, and Replace.
**EnterpriseAPN/*ConnectionName*/ClassId** -GUID that defines the APN class to the modem. This is the same as the OEMConnectionId in CM_CellularEntries CSP. Normally this setting is not present. It is only required when IsAttachAPN is true and the attach APN is not only used as the Internet APN.
+GUID that defines the APN class to the modem. This is the same as the OEMConnectionId in CM_CellularEntries CSP. Normally this setting is not present. It is only required when IsAttachAPN is true and the attach APN is not only used as the Internet APN.
-Supported operations are Add, Get, Delete, and Replace.
+Supported operations are Add, Get, Delete, and Replace.
**EnterpriseAPN/*ConnectionName*/AuthType** -Authentication type. This value can be one of the following:
+Authentication type. This value can be one of the following:
- None (default) - Auto @@ -80,39 +80,39 @@ EnterpriseAPN - CHAP - MSCHAPv2 -Supported operations are Add, Get, Delete, and Replace.
+Supported operations are Add, Get, Delete, and Replace.
**EnterpriseAPN/*ConnectionName*/UserName** -User name for use with PAP, CHAP, or MSCHAPv2 authentication.
+User name for use with PAP, CHAP, or MSCHAPv2 authentication.
-Supported operations are Add, Get, Delete, and Replace.
+Supported operations are Add, Get, Delete, and Replace.
**EnterpriseAPN/*ConnectionName*/Password** -Password corresponding to the username.
+Password corresponding to the username.
-Supported operations are Add, Get, Delete, and Replace.
+Supported operations are Add, Get, Delete, and Replace.
**EnterpriseAPN/*ConnectionName*/IccId** -Integrated Circuit Card ID (ICCID) associated with the cellular connection profile. If this node is not present, the connection is created on a single-slot device using the ICCID of the UICC and on a dual-slot device using the ICCID of the UICC that is active for data.
+Integrated Circuit Card ID (ICCID) associated with the cellular connection profile. If this node is not present, the connection is created on a single-slot device using the ICCID of the UICC and on a dual-slot device using the ICCID of the UICC that is active for data.
-Supported operations are Add, Get, Delete, and Replace.
+Supported operations are Add, Get, Delete, and Replace.
**EnterpriseAPN/*ConnectionName*/AlwaysOn** -Added in Windows 10, version 1607. Boolean value that specifies whether the CM will automatically attempt to connect to the APN when a connection is available.
+Added in Windows 10, version 1607. Boolean value that specifies whether the CM will automatically attempt to connect to the APN when a connection is available.
-The default value is true.
+The default value is true.
-Supported operations are Add, Get, Delete, and Replace.
+Supported operations are Add, Get, Delete, and Replace.
**EnterpriseAPN/*ConnectionName*/Enabled** -Added in Windows 10, version 1607. Boolean that specifies whether the connection is enabled.
+Added in Windows 10, version 1607. Boolean that specifies whether the connection is enabled.
-The default value is true.
+The default value is true.
-Supported operations are Add, Get, Delete, and Replace.
+Supported operations are Add, Get, Delete, and Replace.
**EnterpriseAPN/*ConnectionName*/Roaming** -Added in Windows 10, version 1703. Specifies whether the connection should be activated when the device is roaming. Valid values:
+Added in Windows 10, version 1703. Specifies whether the connection should be activated when the device is roaming. Valid values:
Default is 1 (all roaming allowed).
+Default is 1 (all roaming allowed).
-Value type is string. Supported operations are Add, Get, Delete, and Replace.
+Value type is string. Supported operations are Add, Get, Delete, and Replace.
**EnterpriseAPN/Settings** -Added in Windows 10, version 1607. Node that contains global settings.
+Added in Windows 10, version 1607. Node that contains global settings.
**EnterpriseAPN/Settings/AllowUserControl** -Added in Windows 10, version 1607. Boolean value that specifies whether the cellular UX will allow users to connect with other APNs other than the Enterprise APN.
+Added in Windows 10, version 1607. Boolean value that specifies whether the cellular UX will allow users to connect with other APNs other than the Enterprise APN.
-The default value is false.
+The default value is false.
-Supported operations are Get and Replace.
+Supported operations are Get and Replace.
**EnterpriseAPN/Settings/HideView** -Added in Windows 10, version 1607. Boolean that specifies whether the cellular UX will allow the user to view enterprise APNs. Only applicable if AllowUserControl is true.
+Added in Windows 10, version 1607. Boolean that specifies whether the cellular UX will allow the user to view enterprise APNs. Only applicable if AllowUserControl is true.
-The default value is false.
+The default value is false.
-Supported operations are Get and Replace.
+Supported operations are Get and Replace.
## Examples diff --git a/windows/client-management/mdm/enterpriseappvmanagement-csp.md b/windows/client-management/mdm/enterpriseappvmanagement-csp.md index 9a0893f98e..cb948488da 100644 --- a/windows/client-management/mdm/enterpriseappvmanagement-csp.md +++ b/windows/client-management/mdm/enterpriseappvmanagement-csp.md @@ -45,68 +45,68 @@ EnterpriseAppVManagement ------------Policy ``` **./Vendor/MSFT/EnterpriseAppVManagement** -Root node for the EnterpriseAppVManagement configuration service provider.
+Root node for the EnterpriseAppVManagement configuration service provider.
**AppVPackageManagement** -Used to query App-V package information (post-publish).
+Used to query App-V package information (post-publish).
**AppVPackageManagement/EnterpriseID** -Used to query package information. Value is always "HostedInstall".
+Used to query package information. Value is always "HostedInstall".
**AppVPackageManagement/EnterpriseID/PackageFamilyName** -Package ID of the published App-V package.
+Package ID of the published App-V package.
**AppVPackageManagement/*EnterpriseID*/*PackageFamilyName*/*PackageFullName*** -Version ID of the published App-V package.
+Version ID of the published App-V package.
**AppVPackageManagement/*EnterpriseID*/*PackageFamilyName*/*PackageFullName*/Name** -Name specified in the published AppV package.
-Value type is string. Supported operation is Get.
+Name specified in the published AppV package.
+Value type is string. Supported operation is Get.
**AppVPackageManagement/*EnterpriseID*/*PackageFamilyName*/*PackageFullName*/Version** -Version specified in the published AppV package.
-Value type is string. Supported operation is Get.
+Version specified in the published AppV package.
+Value type is string. Supported operation is Get.
**AppVPackageManagement/*EnterpriseID*/*PackageFamilyName*/*PackageFullName*/Publisher** -Publisher as specified in the published asset information of the AppV package.
-Value type is string. Supported operation is Get.
+Publisher as specified in the published asset information of the AppV package.
+Value type is string. Supported operation is Get.
**AppVPackageManagement/*EnterpriseID*/*PackageFamilyName*/*PackageFullName*/InstallLocation** -Local package path specified in the published asset information of the AppV package.
-Value type is string. Supported operation is Get.
+Local package path specified in the published asset information of the AppV package.
+Value type is string. Supported operation is Get.
**AppVPackageManagement/*EnterpriseID*/*PackageFamilyName*/*PackageFullName*/InstallDate** -Date the app was installed, as specified in the published asset information of the AppV package.
-Value type is string. Supported operation is Get.
+Date the app was installed, as specified in the published asset information of the AppV package.
+Value type is string. Supported operation is Get.
**AppVPackageManagement/*EnterpriseID*/*PackageFamilyName*/*PackageFullName*/Users** -Registered users for app, as specified in the published asset information of the AppV package.
-Value type is string. Supported operation is Get.
+Registered users for app, as specified in the published asset information of the AppV package.
+Value type is string. Supported operation is Get.
**AppVPackageManagement/*EnterpriseID*/*PackageFamilyName*/*PackageFullName*/AppVPackageId** -Package ID of the published App-V package.
-Value type is string. Supported operation is Get.
+Package ID of the published App-V package.
+Value type is string. Supported operation is Get.
**AppVPackageManagement/*EnterpriseID*/*PackageFamilyName*/*PackageFullName*/AppVVersionId** -Version ID of the published App-V package.
-Value type is string. Supported operation is Get.
+Version ID of the published App-V package.
+Value type is string. Supported operation is Get.
**AppVPackageManagement/*EnterpriseID*/*PackageFamilyName*/*PackageFullName*/AppVPackageUri** -Package URI of the published App-V package.
-Value type is string. Supported operation is Get.
+Package URI of the published App-V package.
+Value type is string. Supported operation is Get.
**AppVPublishing** -Used to monitor publishing operations on App-V.
+Used to monitor publishing operations on App-V.
**AppVPublishing/LastSync** -Used to monitor publishing status of last sync operation.
+Used to monitor publishing status of last sync operation.
**AppVPublishing/LastSync/LastError** -Error code and error description of last sync operation.
-Value type is string. Supported operation is Get.
+Error code and error description of last sync operation.
+Value type is string. Supported operation is Get.
**AppVPublishing/LastSync/LastErrorDescription** -Last sync error status. One of the following values may be returned:
+Last sync error status. One of the following values may be returned:
- SYNC\_ERR_NONE (0) - No errors during publish. - SYNC\_ERR\_UNPUBLISH_GROUPS (1) - Unpublish groups failed during publish. @@ -116,10 +116,10 @@ EnterpriseAppVManagement - SYNC\_ERR\_NEW_POLICY_WRITE (5) - New policy write failed during publish. - SYNC\_ERR\_MULTIPLE\_DURING_PUBLISH (6) - Multiple non-fatal errors occurred during publish. -Value type is string. Supported operation is Get.
+Value type is string. Supported operation is Get.
**AppVPublishing/LastSync/SyncStatusDescription** -Latest sync in-progress stage. One of the following values may be returned:
+Latest sync in-progress stage. One of the following values may be returned:
- SYNC\_PROGRESS_IDLE (0) - App-V publishing is idle. - SYNC\_PROGRESS\_UNPUBLISH_GROUPS (1) - App-V connection groups publish in progress. @@ -127,9 +127,9 @@ EnterpriseAppVManagement - SYNC\_PROGRESS\_PUBLISH\_GROUP_PACKAGES (3) - App-V packages (connection group) publish in progress. - SYN\C_PROGRESS_UNPUBLISH_PACKAGES (4) - App-V packages unpublish in progress. -Value type is string. Supported operation is Get.
+Value type is string. Supported operation is Get.
-AppVPublishing/LastSync/SyncProgressLatest sync state. One of the following values may be returned:
+AppVPublishing/LastSync/SyncProgressLatest sync state. One of the following values may be returned:
- SYNC\_STATUS_IDLE (0) - App-V Sync is idle. - SYNC\_STATUS\_PUBLISH_STARTED (1) - App-V Sync is initializing. @@ -137,22 +137,22 @@ EnterpriseAppVManagement - SYNC\_STATUS\_PUBLISH\_COMPLETED (3) - App-V Sync is complete. - SYNC\_STATUS\_PUBLISH\_REBOOT_REQUIRED (4) - App-V Sync requires device reboot. -Value type is string. Supported operation is Get.
+Value type is string. Supported operation is Get.
**AppVPublishing/Sync** -Used to perform App-V synchronization.
+Used to perform App-V synchronization.
**AppVPublishing/Sync/PublishXML** -Used to execute the App-V synchronization using the Publishing protocol. For more information about the protocol see [MS-VAPR]: Virtual Application Publishing and Reporting (App-V) Protocol.
-Supported operations are Get, Delete, and Execute.
+Used to execute the App-V synchronization using the Publishing protocol. For more information about the protocol see [MS-VAPR]: Virtual Application Publishing and Reporting (App-V) Protocol.
+Supported operations are Get, Delete, and Execute.
**AppVDynamicPolicy** -Used to set App-V Policy Configuration documents for publishing packages.
+Used to set App-V Policy Configuration documents for publishing packages.
**AppVDynamicPolicy/*ConfigurationId*** -ID for App-V Policy Configuration document for publishing packages (referenced in the Publishing protocol document).
+ID for App-V Policy Configuration document for publishing packages (referenced in the Publishing protocol document).
**AppVDynamicPolicy/*ConfigurationId*/Policy** -XML for App-V Policy Configuration documents for publishing packages.
-Value type is xml. Supported operations are Add, Get, Delete, and Replace.
\ No newline at end of file +XML for App-V Policy Configuration documents for publishing packages.
+Value type is xml. Supported operations are Add, Get, Delete, and Replace.
\ No newline at end of file diff --git a/windows/client-management/mdm/enterpriseextfilessystem-csp.md b/windows/client-management/mdm/enterpriseextfilessystem-csp.md index 12f02b683f..58fdde76ab 100644 --- a/windows/client-management/mdm/enterpriseextfilessystem-csp.md +++ b/windows/client-management/mdm/enterpriseextfilessystem-csp.md @@ -40,10 +40,10 @@ EnterpriseExtFileSystem The following list describes the characteristics and parameters. **./Vendor/MSFT/EnterpriseExtFileSystem** -The root node for the EnterpriseExtFileSystem configuration service provider. Supported operations are Add and Get.
+The root node for the EnterpriseExtFileSystem configuration service provider. Supported operations are Add and Get.
**Persistent** -The EnterpriseExtFileSystem CSP allows an enterprise to read, write, delete and list files in this folder. When an app writes data to the Persistent folder, it accesses that data from the EnterpriseExtFileSystem\Persistent node. Files written to the Persistent folder persists over ordinary power cycles.
+The EnterpriseExtFileSystem CSP allows an enterprise to read, write, delete and list files in this folder. When an app writes data to the Persistent folder, it accesses that data from the EnterpriseExtFileSystem\Persistent node. Files written to the Persistent folder persists over ordinary power cycles.
> **Important** There is a limit to the amount of data that can be persisted, which varies depending on how much disk space is available on one of the partitions. This data cap amount (that can be persisted) varies by manufacturer. > @@ -54,24 +54,24 @@ The following list describes the characteristics and parameters. **NonPersistent** -The EnterpriseExtFileSystem CSP allows an enterprise to read, write, delete and list files in this folder. When an app writes data to the Non-Persistent folder, it accesses that data from the EnterpriseExtFileSystem\NonPersistent node. Files written to the NonPersistent folder will persist over ordinary power cycles.
+The EnterpriseExtFileSystem CSP allows an enterprise to read, write, delete and list files in this folder. When an app writes data to the Non-Persistent folder, it accesses that data from the EnterpriseExtFileSystem\NonPersistent node. Files written to the NonPersistent folder will persist over ordinary power cycles.
-When the device is wiped, any data stored in the NonPersistent folder is deleted.
+When the device is wiped, any data stored in the NonPersistent folder is deleted.
**OemProfile** -Added in Windows 10, version 1511. The EnterpriseExtFileSystem CSP allows an enterprise to deploy an OEM profile on the device, such as a barcode scanner profile then can be consumed by the OEM barcode scanner driver. The file is placed into the \data\shareddata\oem\public\profile\ folder of the device.
+Added in Windows 10, version 1511. The EnterpriseExtFileSystem CSP allows an enterprise to deploy an OEM profile on the device, such as a barcode scanner profile then can be consumed by the OEM barcode scanner driver. The file is placed into the \data\shareddata\oem\public\profile\ folder of the device.
***Directory*** -The name of a directory in the device file system. Any Directory node can have directories and files as child nodes.
+The name of a directory in the device file system. Any Directory node can have directories and files as child nodes.
-Use the Add command to create a new directory. You cannot use it to add a new directory under a file system root.
+Use the Add command to create a new directory. You cannot use it to add a new directory under a file system root.
-Use the Get command to return the list of child node names under Directory.
+Use the Get command to return the list of child node names under Directory.
-Use the Get command with ?List=Struct to recursively return all child node names, including subdirectory names, under Directory.
+Use the Get command with ?List=Struct to recursively return all child node names, including subdirectory names, under Directory.
***Filename*** -The name of a file in the device file system.
+The name of a file in the device file system.
Supported operations is Get. diff --git a/windows/client-management/mdm/firewall-csp.md b/windows/client-management/mdm/firewall-csp.md index 19fbe15c22..2d9fbf4570 100644 --- a/windows/client-management/mdm/firewall-csp.md +++ b/windows/client-management/mdm/firewall-csp.md @@ -103,68 +103,68 @@ Firewall ----------------Name ``` **./Vendor/MSFT/Firewall** -Root node for the Firewall configuration service provider.
+Root node for the Firewall configuration service provider.
**MdmStore** -Interior node.
-Supported operation is Get.
+Interior node.
+Supported operation is Get.
**MdmStore/Global** -Interior node.
-Supported operations are Get.
+Interior node.
+Supported operations are Get.
**MdmStore/Global/PolicyVersionSupported** -Integer value that contains the maximum policy version that the server host can accept. The version number is two octets in size. The lowest-order octet is the minor version; the second-to-lowest octet is the major version. This value is not merged and is always a fixed value for a particular firewall and advanced security components software build.
-Value type in integer. Supported operation is Get.
+Integer value that contains the maximum policy version that the server host can accept. The version number is two octets in size. The lowest-order octet is the minor version; the second-to-lowest octet is the major version. This value is not merged and is always a fixed value for a particular firewall and advanced security components software build.
+Value type in integer. Supported operation is Get.
**MdmStore/Global/CurrentProfiles** -Integer value that contains a bitmask of the current enforced profiles that are maintained by the server firewall host. See FW_PROFILE_TYPE for the bitmasks that are used to identify profile types. This value is available only in the dynamic store; therefore, it is not merged and has no merge law.
-Value type in integer. Supported operation is Get.
+Integer value that contains a bitmask of the current enforced profiles that are maintained by the server firewall host. See FW_PROFILE_TYPE for the bitmasks that are used to identify profile types. This value is available only in the dynamic store; therefore, it is not merged and has no merge law.
+Value type in integer. Supported operation is Get.
**MdmStore/Global/DisableStatefulFtp** -Boolean value. If false, the firewall performs stateful File Transfer Protocol (FTP) filtering to allow secondary connections. True means stateful FTP is disabled. The merge law for this option is to let "true" values win.
-Default value is false.
-Data type is bool. Supported operations are Add, Get, Replace, and Delete.
+Boolean value. If false, the firewall performs stateful File Transfer Protocol (FTP) filtering to allow secondary connections. True means stateful FTP is disabled. The merge law for this option is to let "true" values win.
+Default value is false.
+Data type is bool. Supported operations are Add, Get, Replace, and Delete.
**MdmStore/Global/SaIdleTime** -This value configures the security association idle time, in seconds. Security associations are deleted after network traffic is not seen for this specified period of time. The value is integer and MUST be in the range of 300 to 3,600 inclusive. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.
-Default value is 300.
-Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+This value configures the security association idle time, in seconds. Security associations are deleted after network traffic is not seen for this specified period of time. The value is integer and MUST be in the range of 300 to 3,600 inclusive. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.
+Default value is 300.
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
**MdmStore/Global/PresharedKeyEncoding** -Specifies the preshared key encoding that is used. The value is integer and MUST be a valid value from the PRESHARED_KEY_ENCODING_VALUES enumeration. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.
-Default value is 1.
-Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+Specifies the preshared key encoding that is used. The value is integer and MUST be a valid value from the PRESHARED_KEY_ENCODING_VALUES enumeration. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.
+Default value is 1.
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
**MdmStore/Global/IPsecExempt** -This value configures IPsec exceptions. The value is integer and MUST be a combination of the valid flags that are defined in IPSEC_EXEMPT_VALUES; therefore, the maximum value MUST always be IPSEC_EXEMPT_MAX-1 for servers supporting a schema version of 0x0201 and IPSEC_EXEMPT_MAX_V2_0-1 for servers supporting a schema version of 0x0200. If the maximum value is exceeded when the method RRPC_FWSetGlobalConfig (Opnum 4) is called, the method returns ERROR_INVALID_PARAMETER. This error code is returned if no other preceding error is discovered. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.
-Default value is 0.
-Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+This value configures IPsec exceptions. The value is integer and MUST be a combination of the valid flags that are defined in IPSEC_EXEMPT_VALUES; therefore, the maximum value MUST always be IPSEC_EXEMPT_MAX-1 for servers supporting a schema version of 0x0201 and IPSEC_EXEMPT_MAX_V2_0-1 for servers supporting a schema version of 0x0200. If the maximum value is exceeded when the method RRPC_FWSetGlobalConfig (Opnum 4) is called, the method returns ERROR_INVALID_PARAMETER. This error code is returned if no other preceding error is discovered. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value.
+Default value is 0.
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
**MdmStore/Global/CRLcheck** -This value specifies how certificate revocation list (CRL) verification is enforced. The value is integer and MUST be 0, 1, or 2. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value. Valid valued:
+This value specifies how certificate revocation list (CRL) verification is enforced. The value is integer and MUST be 0, 1, or 2. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, use the local store value. Valid valued:
Default value is 0.
-Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+Default value is 0.
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
**MdmStore/Global/PolicyVersion** -This value contains the policy version of the policy store being managed. This value is not merged and therefore, has no merge law.
-Value type is string. Supported operation is Get.
+This value contains the policy version of the policy store being managed. This value is not merged and therefore, has no merge law.
+Value type is string. Supported operation is Get.
**MdmStore/Global/BinaryVersionSupported** -This value contains the binary version of the structures and data types that are supported by the server. This value is not merged. In addition, this value is always a fixed value for a specific firewall and advanced security component's software build. This value identifies a policy configuration option that is supported only on servers that have a schema version of 0x0201.
-Value type is string. Supported operation is Get.
+This value contains the binary version of the structures and data types that are supported by the server. This value is not merged. In addition, this value is always a fixed value for a specific firewall and advanced security component's software build. This value identifies a policy configuration option that is supported only on servers that have a schema version of 0x0201.
+Value type is string. Supported operation is Get.
**MdmStore/Global/OpportunisticallyMatchAuthSetPerKM** -This value is bool used as an on/off switch. When this option is false (off), keying modules MUST ignore the entire authentication set if they do not support all of the authentication suites specified in the set. When this option is true (on), keying modules MUST ignore only the authentication suites that they don’t support. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used.
-Boolean value. Supported operations are Add, Get, Replace, and Delete.
+This value is bool used as an on/off switch. When this option is false (off), keying modules MUST ignore the entire authentication set if they do not support all of the authentication suites specified in the set. When this option is true (on), keying modules MUST ignore only the authentication suites that they don’t support. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used.
+Boolean value. Supported operations are Add, Get, Replace, and Delete.
**MdmStore/Global/EnablePacketQueue** -This value specifies how scaling for the software on the receive side is enabled for both the encrypted receive and clear text forward path for the IPsec tunnel gateway scenario. Use of this option also ensures that the packet order is preserved. The data type for this option value is integer and is a combination of flags. Valid values:
+This value specifies how scaling for the software on the receive side is enabled for both the encrypted receive and clear text forward path for the IPsec tunnel gateway scenario. Use of this option also ensures that the packet order is preserved. The data type for this option value is integer and is a combination of flags. Valid values:
Default value is 0.
-Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+Default value is 0.
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
**MdmStore/DomainProfile** -Interior node. Supported operation is Get.
+Interior node. Supported operation is Get.
**MdmStore/PrivateProfile** -Interior node. Supported operation is Get.
+Interior node. Supported operation is Get.
**MdmStore/PublicProfile** -Interior node. Supported operation is Get.
+Interior node. Supported operation is Get.
**/EnableFirewall** -Boolean value for the firewall and advanced security enforcement. If this value is false, the server MUST NOT block any network traffic, regardless of other policy settings. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
-Default value is true.
-Value type is bool. Supported operations are Add, Get and Replace.
+Boolean value for the firewall and advanced security enforcement. If this value is false, the server MUST NOT block any network traffic, regardless of other policy settings. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
+Default value is true.
+Value type is bool. Supported operations are Add, Get and Replace.
**/DisableStealthMode** -Boolean value. When this option is false, the server operates in stealth mode. The firewall rules used to enforce stealth mode are implementation-specific. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
-Default value is false.
-Value type is bool. Supported operations are Add, Get and Replace.
+Boolean value. When this option is false, the server operates in stealth mode. The firewall rules used to enforce stealth mode are implementation-specific. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
+Default value is false.
+Value type is bool. Supported operations are Add, Get and Replace.
**/Shielded** -Boolean value. If this value is true and EnableFirewall is on, the server MUST block all incoming traffic regardless of other policy settings. The merge law for this option is to let "true" values win.
-Default value is false.
-Value type is bool. Supported operations are Get and Replace.
+Boolean value. If this value is true and EnableFirewall is on, the server MUST block all incoming traffic regardless of other policy settings. The merge law for this option is to let "true" values win.
+Default value is false.
+Value type is bool. Supported operations are Get and Replace.
**/DisableUnicastResponsesToMulticastBroadcast** -Boolean value. If it is true, unicast responses to multicast broadcast traffic is blocked. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
-Default value is false.
-Value type is bool. Supported operations are Add, Get and Replace.
+Boolean value. If it is true, unicast responses to multicast broadcast traffic is blocked. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
+Default value is false.
+Value type is bool. Supported operations are Add, Get and Replace.
**/DisableInboundNotifications** -Boolean value. If this value is false, the firewall MAY display a notification to the user when an application is blocked from listening on a port. If this value is on, the firewall MUST NOT display such a notification. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
-Default value is false.
-Value type is bool. Supported operations are Add, Get and Replace.
+Boolean value. If this value is false, the firewall MAY display a notification to the user when an application is blocked from listening on a port. If this value is on, the firewall MUST NOT display such a notification. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
+Default value is false.
+Value type is bool. Supported operations are Add, Get and Replace.
**/AuthAppsAllowUserPrefMerge** -Boolean value. If this value is false, authorized application firewall rules in the local store are ignored and not enforced. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
-Default value is true.
-Value type is bool. Supported operations are Add, Get and Replace.
+Boolean value. If this value is false, authorized application firewall rules in the local store are ignored and not enforced. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
+Default value is true.
+Value type is bool. Supported operations are Add, Get and Replace.
**/GlobalPortsAllowUserPrefMerge** -Boolean value. If this value is false, global port firewall rules in the local store are ignored and not enforced. The setting only has meaning if it is set or enumerated in the Group Policy store or if it is enumerated from the GroupPolicyRSoPStore. The merge law for this option is to let the value GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
-Default value is true.
-Value type is bool. Supported operations are Add, Get and Replace.
+Boolean value. If this value is false, global port firewall rules in the local store are ignored and not enforced. The setting only has meaning if it is set or enumerated in the Group Policy store or if it is enumerated from the GroupPolicyRSoPStore. The merge law for this option is to let the value GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used.
+Default value is true.
+Value type is bool. Supported operations are Add, Get and Replace.
**/AllowLocalPolicyMerge** -Boolean value. If this value is false, firewall rules from the local store are ignored and not enforced. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. This value is valid for all schema versions.
-Default value is true.
-Value type is bool. Supported operations are Add, Get and Replace.
+Boolean value. If this value is false, firewall rules from the local store are ignored and not enforced. The merge law for this option is to always use the value of the GroupPolicyRSoPStore. This value is valid for all schema versions.
+Default value is true.
+Value type is bool. Supported operations are Add, Get and Replace.
**/AllowLocalIpsecPolicyMerge** -Boolean value. If this value is false, connection security rules from the local store are ignored and not enforced, regardless of the schema version and connection security rule version. The merge law for this option is to always use the value of the GroupPolicyRSoPStore.
-Default value is true.
-Value type is bool. Supported operations are Add, Get and Replace.
+Boolean value. If this value is false, connection security rules from the local store are ignored and not enforced, regardless of the schema version and connection security rule version. The merge law for this option is to always use the value of the GroupPolicyRSoPStore.
+Default value is true.
+Value type is bool. Supported operations are Add, Get and Replace.
**/DefaultOutboundAction** -This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. DefaultOutboundAction will block all outbound traffic unless it is explicitly specified not to block.
+This value is the action that the firewall does by default (and evaluates at the very end) on outbound connections. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. DefaultOutboundAction will block all outbound traffic unless it is explicitly specified not to block.
Default value is 0 (allow).
-Value type is integer. Supported operations are Add, Get and Replace.
+Default value is 0 (allow).
+Value type is integer. Supported operations are Add, Get and Replace.
Sample syncxml to provision the firewall settings to evaluate @@ -263,70 +263,70 @@ Sample syncxml to provision the firewall settings to evaluate ``` **/DefaultInboundAction** -This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The merge law for this option is to let the value of the GroupPolicyRSoPStore.win if it is configured; otherwise, the local store value is used.
+This value is the action that the firewall does by default (and evaluates at the very end) on inbound connections. The merge law for this option is to let the value of the GroupPolicyRSoPStore.win if it is configured; otherwise, the local store value is used.
Default value is 1 (block).
-Value type is integer. Supported operations are Add, Get and Replace.
+Default value is 1 (block).
+Value type is integer. Supported operations are Add, Get and Replace.
**/DisableStealthModeIpsecSecuredPacketExemption** -Boolean value. This option is ignored if DisableStealthMode is true. Otherwise, when this option is true, the firewall's stealth mode rules MUST NOT prevent the host computer from responding to unsolicited network traffic if that traffic is secured by IPsec. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used.
-Default value is true.
-Value type is bool. Supported operations are Add, Get and Replace.
+Boolean value. This option is ignored if DisableStealthMode is true. Otherwise, when this option is true, the firewall's stealth mode rules MUST NOT prevent the host computer from responding to unsolicited network traffic if that traffic is secured by IPsec. The merge law for this option is to let the value of the GroupPolicyRSoPStore win if it is configured; otherwise, the local store value is used. For schema versions 0x0200, 0x0201, and 0x020A, this value is invalid and MUST NOT be used.
+Default value is true.
+Value type is bool. Supported operations are Add, Get and Replace.
**FirewallRules** -A list of rules controlling traffic through the Windows Firewall. Each Rule ID is OR'ed. Within each rule ID each Filter type is AND'ed.
+A list of rules controlling traffic through the Windows Firewall. Each Rule ID is OR'ed. Within each rule ID each Filter type is AND'ed.
**FirewallRules/_FirewallRuleName_** -Unique alpha numeric identifier for the rule. The rule name must not include a forward slash (/).
-Supported operations are Add, Get, Replace, and Delete.
+Unique alpha numeric identifier for the rule. The rule name must not include a forward slash (/).
+Supported operations are Add, Get, Replace, and Delete.
**FirewallRules/_FirewallRuleName_/App** -Rules that control connections for an app, program, or service. Specified based on the intersection of the following nodes:
+Rules that control connections for an app, program, or service. Specified based on the intersection of the following nodes:
If not specified, the default is All.
-Supported operation is Get.
+If not specified, the default is All.
+Supported operation is Get.
**FirewallRules/_FirewallRuleName_/App/PackageFamilyName** -This App/Id value represents the PackageFamilyName of the app. The PackageFamilyName is the unique name of a Microsoft Store application.
-Value type is string. Supported operations are Add, Get, Replace, and Delete.
+This App/Id value represents the PackageFamilyName of the app. The PackageFamilyName is the unique name of a Microsoft Store application.
+Value type is string. Supported operations are Add, Get, Replace, and Delete.
**FirewallRules/_FirewallRuleName_/App/FilePath** -This App/Id value represents the full file path of the app. For example, C:\Windows\System\Notepad.exe.
-Value type is string. Supported operations are Add, Get, Replace, and Delete.
+This App/Id value represents the full file path of the app. For example, C:\Windows\System\Notepad.exe.
+Value type is string. Supported operations are Add, Get, Replace, and Delete.
**FirewallRules/_FirewallRuleName_/App/Fqbn** -Fully Qualified Binary Name
-Value type is string. Supported operations are Add, Get, Replace, and Delete.
+Fully Qualified Binary Name
+Value type is string. Supported operations are Add, Get, Replace, and Delete.
**FirewallRules/_FirewallRuleName_/App/ServiceName** -This is a service name used in cases when a service, not an application, is sending or receiving traffic.
-Value type is string. Supported operations are Add, Get, Replace, and Delete.
+This is a service name used in cases when a service, not an application, is sending or receiving traffic.
+Value type is string. Supported operations are Add, Get, Replace, and Delete.
**FirewallRules/_FirewallRuleName_/Protocol** -0-255 number representing the ip protocol (TCP = 6, UDP = 17)
-If not specified, the default is All.
-Value type is integer. Supported operations are Add, Get, Replace, and Delete.
+0-255 number representing the ip protocol (TCP = 6, UDP = 17)
+If not specified, the default is All.
+Value type is integer. Supported operations are Add, Get, Replace, and Delete.
**FirewallRules/_FirewallRuleName_/LocalPortRanges** -Comma separated list of ranges. For example, 100-120,200,300-320.
-If not specified, the default is All.
-Value type is string. Supported operations are Add, Get, Replace, and Delete.
+Comma separated list of ranges. For example, 100-120,200,300-320.
+If not specified, the default is All.
+Value type is string. Supported operations are Add, Get, Replace, and Delete.
**FirewallRules/_FirewallRuleName_/RemotePortRanges** -Comma separated list of ranges, For example, 100-120,200,300-320.
-If not specified, the default is All.
-Value type is string. Supported operations are Add, Get, Replace, and Delete.
+Comma separated list of ranges, For example, 100-120,200,300-320.
+If not specified, the default is All.
+Value type is string. Supported operations are Add, Get, Replace, and Delete.
**FirewallRules/*FirewallRuleName*/LocalAddressRanges** -Comma separated list of local addresses covered by the rule. The default value is "*". Valid tokens include:
+Comma separated list of local addresses covered by the rule. The default value is "*". Valid tokens include:
If not specified, the default is All.
-Value type is string. Supported operations are Add, Get, Replace, and Delete.
+If not specified, the default is All.
+Value type is string. Supported operations are Add, Get, Replace, and Delete.
**FirewallRules/*FirewallRuleName*/RemoteAddressRanges** -List of comma separated tokens specifying the remote addresses covered by the rule. The default value is "*". Valid tokens include:
+List of comma separated tokens specifying the remote addresses covered by the rule. The default value is "*". Valid tokens include:
If not specified, the default is All.
-Value type is string. Supported operations are Add, Get, Replace, and Delete.
-The tokens "Intranet", "RmtIntranet", "Internet" and "Ply2Renders" are supported on Windows 10, version 1809, and later.
+If not specified, the default is All.
+Value type is string. Supported operations are Add, Get, Replace, and Delete.
+The tokens "Intranet", "RmtIntranet", "Internet" and "Ply2Renders" are supported on Windows 10, version 1809, and later.
**FirewallRules/_FirewallRuleName_/Description** -Specifies the description of the rule.
-Value type is string. Supported operations are Add, Get, Replace, and Delete.
+Specifies the description of the rule.
+Value type is string. Supported operations are Add, Get, Replace, and Delete.
**FirewallRules/_FirewallRuleName_/Enabled** -Indicates whether the rule is enabled or disabled. If the rule must be enabled, this value must be set to true. -
If not specified - a new rule is enabled by default.
-Boolean value. Supported operations are Get and Replace.
+Indicates whether the rule is enabled or disabled. If the rule must be enabled, this value must be set to true. +
If not specified - a new rule is enabled by default.
+Boolean value. Supported operations are Get and Replace.
**FirewallRules/_FirewallRuleName_/Profiles** -Specifies the profiles to which the rule belongs: Domain, Private, Public. . See FW_PROFILE_TYPE for the bitmasks that are used to identify profile types.
-If not specified, the default is All.
-Value type is integer. Supported operations are Get and Replace.
+Specifies the profiles to which the rule belongs: Domain, Private, Public. . See FW_PROFILE_TYPE for the bitmasks that are used to identify profile types.
+If not specified, the default is All.
+Value type is integer. Supported operations are Get and Replace.
**FirewallRules/_FirewallRuleName_/Action** -Specifies the action for the rule.
-Supported operation is Get.
+Specifies the action for the rule.
+Supported operation is Get.
**FirewallRules/_FirewallRuleName_/Action/Type** -Specifies the action the rule enforces. Supported values:
+Specifies the action the rule enforces. Supported values:
If not specified, the default is allow.
-Value type is integer. Supported operations are Get and Replace.
+If not specified, the default is allow.
+Value type is integer. Supported operations are Get and Replace.
**FirewallRules/_FirewallRuleName_/Direction** -The rule is enabled based on the traffic direction as following. Supported values:
+The rule is enabled based on the traffic direction as following. Supported values:
Value type is string. Supported operations are Get and Replace.
+Value type is string. Supported operations are Get and Replace.
**FirewallRules/_FirewallRuleName_/InterfaceTypes** -Comma separated list of interface types. Valid values:
+Comma separated list of interface types. Valid values:
If not specified, the default is All.
-Value type is string. Supported operations are Get and Replace.
+If not specified, the default is All.
+Value type is string. Supported operations are Get and Replace.
**FirewallRules/_FirewallRuleName_/EdgeTraversal** -Indicates whether edge traversal is enabled or disabled for this rule.
-The EdgeTraversal setting indicates that specific inbound traffic is allowed to tunnel through NATs and other edge devices using the Teredo tunneling technology. In order for this setting to work correctly, the application or service with the inbound firewall rule needs to support IPv6. The primary application of this setting allows listeners on the host to be globally addressable through a Teredo IPv6 address.
-New rules have the EdgeTraversal property disabled by default.
-Value type is bool. Supported operations are Add, Get, Replace, and Delete.
+Indicates whether edge traversal is enabled or disabled for this rule.
+The EdgeTraversal setting indicates that specific inbound traffic is allowed to tunnel through NATs and other edge devices using the Teredo tunneling technology. In order for this setting to work correctly, the application or service with the inbound firewall rule needs to support IPv6. The primary application of this setting allows listeners on the host to be globally addressable through a Teredo IPv6 address.
+New rules have the EdgeTraversal property disabled by default.
+Value type is bool. Supported operations are Add, Get, Replace, and Delete.
**FirewallRules/_FirewallRuleName_/LocalUserAuthorizationList** -Specifies the list of authorized local users for this rule. This is a string in Security Descriptor Definition Language (SDDL) format.
-Value type is string. Supported operations are Add, Get, Replace, and Delete.
+Specifies the list of authorized local users for this rule. This is a string in Security Descriptor Definition Language (SDDL) format.
+Value type is string. Supported operations are Add, Get, Replace, and Delete.
**FirewallRules/_FirewallRuleName_/Status** -Provides information about the specific version of the rule in deployment for monitoring purposes.
-Value type is string. Supported operation is Get.
+Provides information about the specific version of the rule in deployment for monitoring purposes.
+Value type is string. Supported operation is Get.
**FirewallRules/_FirewallRuleName_/Name** -Name of the rule.
-Value type is string. Supported operations are Add, Get, Replace, and Delete.
+Name of the rule.
+Value type is string. Supported operations are Add, Get, Replace, and Delete.
diff --git a/windows/client-management/mdm/healthattestation-csp.md b/windows/client-management/mdm/healthattestation-csp.md index 03fb5b432d..e570b9890d 100644 --- a/windows/client-management/mdm/healthattestation-csp.md +++ b/windows/client-management/mdm/healthattestation-csp.md @@ -26,18 +26,18 @@ The following is a list of functions performed by the Device HealthAttestation C ## Terms **TPM (Trusted Platform Module)** -TPM is a specialized hardware-protected logic that performs a series of hardware protected security operations including providing protected storage, random number generation, encryption and signing.
+TPM is a specialized hardware-protected logic that performs a series of hardware protected security operations including providing protected storage, random number generation, encryption and signing.
**DHA (Device HealthAttestation) feature** -The Device HealthAttestation (DHA) feature enables enterprise IT administrators to monitor the security posture of managed devices remotely by using hardware (TPM) protected and attested data via a tamper-resistant and tamper-evident communication channel.
+The Device HealthAttestation (DHA) feature enables enterprise IT administrators to monitor the security posture of managed devices remotely by using hardware (TPM) protected and attested data via a tamper-resistant and tamper-evident communication channel.
**DHA-Enabled device (Device HealthAttestation enabled device)** -A Device HealthAttestation enabled (DHA-Enabled) device is a computing device (phone, desktop, laptop, tablet, server) that runs Windows 10 and supports TPM version 1.2 or 2.0.
+A Device HealthAttestation enabled (DHA-Enabled) device is a computing device (phone, desktop, laptop, tablet, server) that runs Windows 10 and supports TPM version 1.2 or 2.0.
**DHA-Session (Device HealthAttestation session)** -The Device HealthAttestation session (DHA-Session) describes the end-to-end communication flow that is performed in one device health attestation session.
+The Device HealthAttestation session (DHA-Session) describes the end-to-end communication flow that is performed in one device health attestation session.
-The following list of transactions is performed in one DHA-Session:
+The following list of transactions is performed in one DHA-Session:
The following list of data is produced or consumed in one DHA-Transaction:
+The following list of data is produced or consumed in one DHA-Transaction:
Device HealthAttestation enabled (DHA-Enabled) device management solution is a device management tool that is integrated with the DHA feature.
-DHA-Enabled device management solutions enable enterprise IT managers to raise the security protection bar for their managed devices based on hardware (TPM) protected data that can be trusted even if a device is compromised by advanced security threats or running a malicious (jailbroken) operating system.
-The following list of operations is performed by DHA-Enabled-MDM
+Device HealthAttestation enabled (DHA-Enabled) device management solution is a device management tool that is integrated with the DHA feature.
+DHA-Enabled device management solutions enable enterprise IT managers to raise the security protection bar for their managed devices based on hardware (TPM) protected data that can be trusted even if a device is compromised by advanced security threats or running a malicious (jailbroken) operating system.
+The following list of operations is performed by DHA-Enabled-MDM
The Device HealthAttestation Configuration Service Provider (DHA-CSP) uses a device’s TPM and firmware to measure critical security properties of the device’s BIOS and Windows boot, such that even on a system infected with kernel level malware or a rootkit, these properties cannot be spoofed.
-The following list of operations is performed by DHA-CSP:
+The Device HealthAttestation Configuration Service Provider (DHA-CSP) uses a device’s TPM and firmware to measure critical security properties of the device’s BIOS and Windows boot, such that even on a system infected with kernel level malware or a rootkit, these properties cannot be spoofed.
+The following list of operations is performed by DHA-CSP:
Device HealthAttestation Service (DHA-Service) validates the data it receives from DHA-CSP and issues a highly trusted hardware (TPM) protected report (DHA-Report) to DHA-Enabled device management solutions through a tamper resistant and tamper evident communication channel.
+Device HealthAttestation Service (DHA-Service) validates the data it receives from DHA-CSP and issues a highly trusted hardware (TPM) protected report (DHA-Report) to DHA-Enabled device management solutions through a tamper resistant and tamper evident communication channel.
-DHA-Service is available in 2 flavors: “DHA-Cloud” and “DHA-Server2016”. DHA-Service supports a variety of implementation scenarios including cloud, on premises, air-gapped, and hybrid scenarios.
-The following list of operations is performed by DHA-Service:
+DHA-Service is available in 2 flavors: “DHA-Cloud” and “DHA-Server2016”. DHA-Service supports a variety of implementation scenarios including cloud, on premises, air-gapped, and hybrid scenarios.
+The following list of operations is performed by DHA-Service:
- Receives device boot data (DHA-BootData) from a DHA-Enabled device(DHA-Cloud)
DHA-Cloud is a Microsoft owned and operated DHA-Service that is:
+(DHA-Cloud)
DHA-Cloud is a Microsoft owned and operated DHA-Service that is:
(DHA-OnPrem)
DHA-OnPrem refers to DHA-Service that is running on premises:
+(DHA-OnPrem)
DHA-OnPrem refers to DHA-Service that is running on premises:
(DHA-EMC)
DHA-EMC refers to an enterprise-managed DHA-Service that is running as a virtual host/service on a Windows Server 2016 compatible - enterprise-managed cloud service, such as Microsoft Azure.
+(DHA-EMC)
DHA-EMC refers to an enterprise-managed DHA-Service that is running as a virtual host/service on a Windows Server 2016 compatible - enterprise-managed cloud service, such as Microsoft Azure.
The root node for the device HealthAttestation configuration service provider.
+The root node for the device HealthAttestation configuration service provider.
**VerifyHealth** (Required) -Notifies the device to prepare a device health verification request.
+Notifies the device to prepare a device health verification request.
-The supported operation is Execute.
+The supported operation is Execute.
**Status** (Required) -Provides the current status of the device health request.
+Provides the current status of the device health request.
-The supported operation is Get.
+The supported operation is Get.
-The following list shows some examples of supported values. For the complete list of status see Device HealthAttestation CSP status and error codes.
+The following list shows some examples of supported values. For the complete list of status see Device HealthAttestation CSP status and error codes.
- 0 - (HEALTHATTESTATION\_CERT\_RETRIEVAL_UNINITIALIZED): DHA-CSP is preparing a request to get a new DHA-EncBlob from DHA-Service - 1 - (HEALTHATTESTATION\_CERT\_RETRIEVAL_REQUESTED): DHA-CSP is waiting for the DHA-Service to respond back, and issue a DHA-EncBlob to the device @@ -213,35 +213,35 @@ HealthAttestation - 3 - (HEALTHATTESTATION\_CERT\_RETRIEVAL_COMPLETE): DHA-Data is ready for pick up **ForceRetrieve** (Optional) -Instructs the client to initiate a new request to DHA-Service, and get a new DHA-EncBlob (a summary of the boot state that is issued by DHA-Service). This option should only be used if the MDM server enforces a certificate freshness policy, which needs to force a device to get a fresh encrypted blob from DHA-Service.
+Instructs the client to initiate a new request to DHA-Service, and get a new DHA-EncBlob (a summary of the boot state that is issued by DHA-Service). This option should only be used if the MDM server enforces a certificate freshness policy, which needs to force a device to get a fresh encrypted blob from DHA-Service.
-Boolean value. The supported operation is Replace.
+Boolean value. The supported operation is Replace.
**Certificate** (Required) -Instructs the DHA-CSP to forward DHA-Data to the MDM server.
+Instructs the DHA-CSP to forward DHA-Data to the MDM server.
-Value type is b64.The supported operation is Get.
+Value type is b64.The supported operation is Get.
**Nonce** (Required) -Enables MDMs to protect the device health attestation communications from man-in-the-middle type (MITM) attacks with a crypt-protected random value that is generated by the MDM Server.
+Enables MDMs to protect the device health attestation communications from man-in-the-middle type (MITM) attacks with a crypt-protected random value that is generated by the MDM Server.
-The nonce is in hex format, with a minimum size of 8 bytes, and a maximum size of 32 bytes.
+The nonce is in hex format, with a minimum size of 8 bytes, and a maximum size of 32 bytes.
-The supported operations are Get and Replace.
+The supported operations are Get and Replace.
**CorrelationId** (Required) -Identifies a unique device health attestation session. CorrelationId is used to correlate DHA-Service logs with the MDM server events and Client event logs for debug and troubleshooting.
+Identifies a unique device health attestation session. CorrelationId is used to correlate DHA-Service logs with the MDM server events and Client event logs for debug and troubleshooting.
-Value type is integer, the minimum value is - 2,147,483,648 and the maximum value is 2,147,483,647. The supported operation is Get.
+Value type is integer, the minimum value is - 2,147,483,648 and the maximum value is 2,147,483,647. The supported operation is Get.
**HASEndpoint** (Optional) -Identifies the fully qualified domain name (FQDN) of the DHA-Service that is assigned to perform attestation. If an FQDN is not assigned, DHA-Cloud (Microsoft owned and operated cloud service) will be used as the default attestation service.
+Identifies the fully qualified domain name (FQDN) of the DHA-Service that is assigned to perform attestation. If an FQDN is not assigned, DHA-Cloud (Microsoft owned and operated cloud service) will be used as the default attestation service.
-Value type is string. The supported operations are Get and Replace. The default value is has.spserv.microsoft.com.
+Value type is string. The supported operations are Get and Replace. The default value is has.spserv.microsoft.com.
**TpmReadyStatus** (Required) -Added in Windows 10, version 1607 March service release. Returns a bitmask of information describing the state of TPM. It indicates whether the TPM of the device is in a ready and trusted state.
-Value type is integer. The supported operation is Get.
+Added in Windows 10, version 1607 March service release. Returns a bitmask of information describing the state of TPM. It indicates whether the TPM of the device is in a ready and trusted state.
+Value type is integer. The supported operation is Get.
## **DHA-CSP integration steps** @@ -508,14 +508,14 @@ The following list of data points are verified by the DHA-Service in DHA-Report Each of these are described in further detail in the following sections, along with the recommended actions to take. **Issued** -The date and time DHA-report was evaluated or issued to MDM.
+The date and time DHA-report was evaluated or issued to MDM.
**AIKPresent** -When an Attestation Identity Key (AIK) is present on a device, it indicates that the device has an endorsement key (EK) certificate. It can be trusted more than a device that doesn’t have an EK certificate.
+When an Attestation Identity Key (AIK) is present on a device, it indicates that the device has an endorsement key (EK) certificate. It can be trusted more than a device that doesn’t have an EK certificate.
-If AIKPresent = True (1), then allow access.
+If AIKPresent = True (1), then allow access.
-If AIKPresent = False (0), then take one of the following actions that align with your enterprise policies:
+If AIKPresent = False (0), then take one of the following actions that align with your enterprise policies:
- Disallow all access - Disallow access to HBI assets @@ -523,24 +523,24 @@ Each of these are described in further detail in the following sections, along w - Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks. **ResetCount** (Reported only for devices that support TPM 2.0) -This attribute reports the number of times a PC device has hibernated or resumed.
+This attribute reports the number of times a PC device has hibernated or resumed.
**RestartCount** (Reported only for devices that support TPM 2.0) -This attribute reports the number of times a PC device has rebooted
+This attribute reports the number of times a PC device has rebooted
**DEPPolicy** -A device can be trusted more if the DEP Policy is enabled on the device.
+A device can be trusted more if the DEP Policy is enabled on the device.
-Data Execution Prevention (DEP) Policy defines is a set of hardware and software technologies that perform additional checks on memory to help prevent malicious code from running on a system. Secure boot allows a limited list on x86/amd64 and on ARM NTOS locks it to on.
+Data Execution Prevention (DEP) Policy defines is a set of hardware and software technologies that perform additional checks on memory to help prevent malicious code from running on a system. Secure boot allows a limited list on x86/amd64 and on ARM NTOS locks it to on.
-DEPPolicy can be disabled or enabled by using the following commands in WMI or a PowerShell script:
+DEPPolicy can be disabled or enabled by using the following commands in WMI or a PowerShell script:
- To disable DEP, type **bcdedit.exe /set {current} nx AlwaysOff** - To enable DEP, type **bcdedit.exe /set {current} nx AlwaysOn** -If DEPPolicy = 1 (On), then allow access.
+If DEPPolicy = 1 (On), then allow access.
-If DEPPolicy = 0 (Off), then take one of the following actions that align with your enterprise policies:
+If DEPPolicy = 0 (Off), then take one of the following actions that align with your enterprise policies:
- Disallow all access - Disallow access to HBI assets @@ -548,15 +548,15 @@ Each of these are described in further detail in the following sections, along w - Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks. **BitLockerStatus** (at boot time) -When BitLocker is reported "on" at boot time, the device is able to protect data that is stored on the drive from unauthorized access, when the system is turned off or goes to hibernation.
+When BitLocker is reported "on" at boot time, the device is able to protect data that is stored on the drive from unauthorized access, when the system is turned off or goes to hibernation.
-Windows BitLocker Drive Encryption, encrypts all data stored on the Windows operating system volume. BitLocker uses the TPM to help protect the Windows operating system and user data and helps to ensure that a computer is not tampered with, even if it is left unattended, lost, or stolen.
+Windows BitLocker Drive Encryption, encrypts all data stored on the Windows operating system volume. BitLocker uses the TPM to help protect the Windows operating system and user data and helps to ensure that a computer is not tampered with, even if it is left unattended, lost, or stolen.
-If the computer is equipped with a compatible TPM, BitLocker uses the TPM to lock the encryption keys that protect the data. As a result, the keys cannot be accessed until the TPM has verified the state of the computer.
+If the computer is equipped with a compatible TPM, BitLocker uses the TPM to lock the encryption keys that protect the data. As a result, the keys cannot be accessed until the TPM has verified the state of the computer.
-If BitLockerStatus = 1 (On), then allow access.
+If BitLockerStatus = 1 (On), then allow access.
-If BitLockerStatus = 0 (Off), then take one of the following actions that align with your enterprise policies:
+If BitLockerStatus = 0 (Off), then take one of the following actions that align with your enterprise policies:
- Disallow all access - Disallow access to HBI assets @@ -564,11 +564,11 @@ Each of these are described in further detail in the following sections, along w - Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks. **BootManagerRevListVersion** -This attribute indicates the version of the Boot Manager that is running on the device, to allow you to track and manage the security of the boot sequence/environment.
+This attribute indicates the version of the Boot Manager that is running on the device, to allow you to track and manage the security of the boot sequence/environment.
-If BootManagerRevListVersion = [CurrentVersion], then allow access.
+If BootManagerRevListVersion = [CurrentVersion], then allow access.
-If BootManagerRevListVersion != [CurrentVersion], then take one of the following actions that align with your enterprise policies:
+If BootManagerRevListVersion != [CurrentVersion], then take one of the following actions that align with your enterprise policies:
- Disallow all access - Disallow access to HBI and MBI assets @@ -576,11 +576,11 @@ Each of these are described in further detail in the following sections, along w - Trigger a corrective action, such as such as informing the technical support team to contact the owner investigate the issue. **CodeIntegrityRevListVersion** -This attribute indicates the version of the code that is performing integrity checks during the boot sequence. Using this attribute can help you detect if the device is running the latest version of the code that performs integrity checks, or if it is exposed to security risks (revoked) and enforce an appropriate policy action.
+This attribute indicates the version of the code that is performing integrity checks during the boot sequence. Using this attribute can help you detect if the device is running the latest version of the code that performs integrity checks, or if it is exposed to security risks (revoked) and enforce an appropriate policy action.
-If CodeIntegrityRevListVersion = [CurrentVersion], then allow access.
+If CodeIntegrityRevListVersion = [CurrentVersion], then allow access.
-If CodeIntegrityRevListVersion != [CurrentVersion], then take one of the following actions that align with your enterprise policies:
+If CodeIntegrityRevListVersion != [CurrentVersion], then take one of the following actions that align with your enterprise policies:
- Disallow all access - Disallow access to HBI and MBI assets @@ -588,11 +588,11 @@ Each of these are described in further detail in the following sections, along w - Trigger a corrective action, such as such as informing the technical support team to contact the owner investigate the issue. **SecureBootEnabled** -When Secure Boot is enabled the core components used to boot the machine must have correct cryptographic signatures that are trusted by the organization that manufactured the device. The UEFI firmware verifies this before it lets the machine start. If any files have been tampered with, breaking their signature, the system will not boot.
+When Secure Boot is enabled the core components used to boot the machine must have correct cryptographic signatures that are trusted by the organization that manufactured the device. The UEFI firmware verifies this before it lets the machine start. If any files have been tampered with, breaking their signature, the system will not boot.
-If SecureBootEnabled = 1 (True), then allow access.
+If SecureBootEnabled = 1 (True), then allow access.
-If SecurebootEnabled = 0 (False), then take one of the following actions that align with your enterprise policies:
+If SecurebootEnabled = 0 (False), then take one of the following actions that align with your enterprise policies:
- Disallow all access - Disallow access to HBI assets @@ -600,16 +600,16 @@ Each of these are described in further detail in the following sections, along w - Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks. **BootDebuggingEnabled** -Boot debug enabled points to a device that is used in development and testing. Devices that are used for test and development typically are less secure: the device may run unstable code, or be configured with fewer security restrictions that is required for testing and development.
+Boot debug enabled points to a device that is used in development and testing. Devices that are used for test and development typically are less secure: the device may run unstable code, or be configured with fewer security restrictions that is required for testing and development.
-Boot debugging can be disabled or enabled by using the following commands in WMI or a PowerShell script:
+Boot debugging can be disabled or enabled by using the following commands in WMI or a PowerShell script:
- To disable boot debugging, type **bcdedit.exe /set {current} bootdebug off** - To enable boot debugging, type **bcdedit.exe /set {current} bootdebug on** -If BootdebuggingEnabled = 0 (False), then allow access.
+If BootdebuggingEnabled = 0 (False), then allow access.
-If BootDebuggingEnabled = 1 (True), then take one of the following actions that align with your enterprise policies:
+If BootDebuggingEnabled = 1 (True), then take one of the following actions that align with your enterprise policies:
- Disallow all access - Disallow access to HBI assets @@ -617,11 +617,11 @@ Each of these are described in further detail in the following sections, along w - Trigger a corrective action, such as enabling VSM using WMI or a PowerShell script. **OSKernelDebuggingEnabled** -OSKernelDebuggingEnabled points to a device that is used in development and testing. Devices that are used for test and development typically are less secure: they may run unstable code, or be configured with fewer security restrictions required for testing and development.
+OSKernelDebuggingEnabled points to a device that is used in development and testing. Devices that are used for test and development typically are less secure: they may run unstable code, or be configured with fewer security restrictions required for testing and development.
-If OSKernelDebuggingEnabled = 0 (False), then allow access.
+If OSKernelDebuggingEnabled = 0 (False), then allow access.
-If OSKernelDebuggingEnabled = 1 (True), then take one of the following actions that align with your enterprise policies:
+If OSKernelDebuggingEnabled = 1 (True), then take one of the following actions that align with your enterprise policies:
- Disallow all access - Disallow access to HBI assets @@ -629,15 +629,15 @@ Each of these are described in further detail in the following sections, along w - Trigger a corrective action, such as such as informing the technical support team to contact the owner investigate the issue. **CodeIntegrityEnabled** -When code integrity is enabled, code execution is restricted to integrity verified code.
+When code integrity is enabled, code execution is restricted to integrity verified code.
-Code integrity is a feature that validates the integrity of a driver or system file each time it is loaded into memory. Code integrity detects whether an unsigned driver or system file is being loaded into the kernel, or whether a system file has been modified by malicious software that is being run by a user account with administrator privileges.
+Code integrity is a feature that validates the integrity of a driver or system file each time it is loaded into memory. Code integrity detects whether an unsigned driver or system file is being loaded into the kernel, or whether a system file has been modified by malicious software that is being run by a user account with administrator privileges.
-On x64-based versions of the operating system, kernel-mode drivers must be digitally signed.
+On x64-based versions of the operating system, kernel-mode drivers must be digitally signed.
-If CodeIntegrityEnabled = 1 (True), then allow access.
+If CodeIntegrityEnabled = 1 (True), then allow access.
-If CodeIntegrityEnabled = 0 (False), then take one of the following actions that align with your enterprise policies:
+If CodeIntegrityEnabled = 0 (False), then take one of the following actions that align with your enterprise policies:
- Disallow all access - Disallow access to HBI assets @@ -645,16 +645,16 @@ Each of these are described in further detail in the following sections, along w - Take one of the previous actions and additionally place the device in a watch list to monitor the device more closely for potential risks. **TestSigningEnabled** -When test signing is enabled, the device does not enforce signature validation during boot, and allows the unsigned drivers (such as unsigned UEFI modules) to load during boot.
+When test signing is enabled, the device does not enforce signature validation during boot, and allows the unsigned drivers (such as unsigned UEFI modules) to load during boot.
-Test signing can be disabled or enabled by using the following commands in WMI or a PowerShell script:
+Test signing can be disabled or enabled by using the following commands in WMI or a PowerShell script:
- To disable boot debugging, type **bcdedit.exe /set {current} testsigning off** - To enable boot debugging, type **bcdedit.exe /set {current} testsigning on** -If TestSigningEnabled = 0 (False), then allow access.
+If TestSigningEnabled = 0 (False), then allow access.
-If TestSigningEnabled = 1 (True), then take one of the following actions that align with your enterprise policies:
+If TestSigningEnabled = 1 (True), then take one of the following actions that align with your enterprise policies:
- Disallow all access - Disallow access to HBI and MBI assets @@ -662,33 +662,33 @@ Each of these are described in further detail in the following sections, along w - Trigger a corrective action, such as enabling test signing using WMI or a PowerShell script. **SafeMode** -Safe mode is a troubleshooting option for Windows that starts your computer in a limited state. Only the basic files and drivers necessary to run Windows are started.
+Safe mode is a troubleshooting option for Windows that starts your computer in a limited state. Only the basic files and drivers necessary to run Windows are started.
-If SafeMode = 0 (False), then allow access.
+If SafeMode = 0 (False), then allow access.
-If SafeMode = 1 (True), then take one of the following actions that align with your enterprise policies:
+If SafeMode = 1 (True), then take one of the following actions that align with your enterprise policies:
- Disallow all access - Disallow access to HBI assets - Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue. **WinPE** -Windows pre-installation Environment (Windows PE) is a minimal operating system with limited services that is used to prepare a computer for Windows installation, to copy disk images from a network file server, and to initiate Windows Setup.
+Windows pre-installation Environment (Windows PE) is a minimal operating system with limited services that is used to prepare a computer for Windows installation, to copy disk images from a network file server, and to initiate Windows Setup.
-If WinPE = 0 (False), then allow access.
+If WinPE = 0 (False), then allow access.
-If WinPE = 1 (True), then limit access to remote resources that are required for Windows OS installation.
+If WinPE = 1 (True), then limit access to remote resources that are required for Windows OS installation.
**ELAMDriverLoaded** (Windows Defender) -To use this reporting feature you must disable "Hybrid Resume" on the device. Early launch anti-malware (ELAM) provides protection for the computers in your network when they start up and before third-party drivers initialize.
+To use this reporting feature you must disable "Hybrid Resume" on the device. Early launch anti-malware (ELAM) provides protection for the computers in your network when they start up and before third-party drivers initialize.
-In the current release, this attribute only monitors/reports if a Microsoft 1st party ELAM (Windows Defender) was loaded during initial boot.
+In the current release, this attribute only monitors/reports if a Microsoft 1st party ELAM (Windows Defender) was loaded during initial boot.
-If a device is expected to use a 3rd party antivirus program, ignore the reported state.
+If a device is expected to use a 3rd party antivirus program, ignore the reported state.
-If a device is expected to use Windows Defender and ELAMDriverLoaded = 1 (True), then allow access.
+If a device is expected to use Windows Defender and ELAMDriverLoaded = 1 (True), then allow access.
-If a device is expected to use Windows Defender and ELAMDriverLoaded = 0 (False), then take one of the following actions that align with your enterprise policies, also accounting for whether it is a desktop or mobile device:
+If a device is expected to use Windows Defender and ELAMDriverLoaded = 0 (False), then take one of the following actions that align with your enterprise policies, also accounting for whether it is a desktop or mobile device:
- Disallow all access - Disallow access to HBI assets @@ -696,61 +696,61 @@ Each of these are described in further detail in the following sections, along w **Bcdedit.exe /set {current} vsmlaunchtype auto** -If ELAMDriverLoaded = 1 (True), then allow access.
+If ELAMDriverLoaded = 1 (True), then allow access.
-If ELAMDriverLoaded = 0 (False), then take one of the following actions that align with your enterprise policies:
+If ELAMDriverLoaded = 0 (False), then take one of the following actions that align with your enterprise policies:
- Disallow all access - Disallow access to HBI assets - Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue. **VSMEnabled** -Virtual Secure Mode (VSM) is a container that protects high value assets from a compromised kernel. VSM requires about 1GB of memory – it has just enough capability to run the LSA service that is used for all authentication brokering.
+Virtual Secure Mode (VSM) is a container that protects high value assets from a compromised kernel. VSM requires about 1GB of memory – it has just enough capability to run the LSA service that is used for all authentication brokering.
-VSM can be enabled by using the following command in WMI or a PowerShell script:
+VSM can be enabled by using the following command in WMI or a PowerShell script:
-bcdedit.exe /set {current} vsmlaunchtype auto
+bcdedit.exe /set {current} vsmlaunchtype auto
-If VSMEnabled = 1 (True), then allow access.
-If VSMEnabled = 0 (False), then take one of the following actions that align with your enterprise policies:
+If VSMEnabled = 1 (True), then allow access.
+If VSMEnabled = 0 (False), then take one of the following actions that align with your enterprise policies:
- Disallow all access - Disallow access to HBI assets - Trigger a corrective action, such as informing the technical support team to contact the owner investigate the issue **PCRHashAlgorithmID** -This attribute is an informational attribute that identifies the HASH algorithm that was used by TPM; no compliance action required.
+This attribute is an informational attribute that identifies the HASH algorithm that was used by TPM; no compliance action required.
**BootAppSVN** -This attribute identifies the security version number of the Boot Application that was loaded during initial boot on the attested device
+This attribute identifies the security version number of the Boot Application that was loaded during initial boot on the attested device
-If reported BootAppSVN equals an accepted value, then allow access.
+If reported BootAppSVN equals an accepted value, then allow access.
-If reported BootAppSVN does not equal an accepted value, then take one of the following actions that align with your enterprise policies:
+If reported BootAppSVN does not equal an accepted value, then take one of the following actions that align with your enterprise policies:
- Disallow all access - Direct the device to an enterprise honeypot, to further monitor the device's activities. **BootManagerSVN** -This attribute identifies the security version number of the Boot Manager that was loaded during initial boot on the attested device.
+This attribute identifies the security version number of the Boot Manager that was loaded during initial boot on the attested device.
-If reported BootManagerSVN equals an accepted value, then allow access.
+If reported BootManagerSVN equals an accepted value, then allow access.
-If reported BootManagerSVN does not equal an accepted value, then take one of the following actions that align with your enterprise policies:
+If reported BootManagerSVN does not equal an accepted value, then take one of the following actions that align with your enterprise policies:
- Disallow all access - Direct the device to an enterprise honeypot, to further monitor the device's activities. **TPMVersion** -This attribute identifies the version of the TPM that is running on the attested device.
-TPMVersion node provides to replies "1" and "2":
+This attribute identifies the version of the TPM that is running on the attested device.
+TPMVersion node provides to replies "1" and "2":
Based on the reply you receive from TPMVersion node:
+Based on the reply you receive from TPMVersion node:
- If reported TPMVersion equals an accepted value, then allow access. - If reported TPMVersion does not equal an accepted value, then take one of the following actions that align with your enterprise policies: @@ -758,63 +758,63 @@ Each of these are described in further detail in the following sections, along w - Direct the device to an enterprise honeypot, to further monitor the device's activities. **PCR0** -The measurement that is captured in PCR[0] typically represents a consistent view of the Host Platform between boot cycles. It contains a measurement of components that are provided by the host platform manufacturer.
+The measurement that is captured in PCR[0] typically represents a consistent view of the Host Platform between boot cycles. It contains a measurement of components that are provided by the host platform manufacturer.
-Enterprise managers can create a allow list of trusted PCR[0] values, compare the PCR[0] value of the managed devices (the value that is verified and reported by HAS) with the allow list, and then make a trust decision based on the result of the comparison.
+Enterprise managers can create a allow list of trusted PCR[0] values, compare the PCR[0] value of the managed devices (the value that is verified and reported by HAS) with the allow list, and then make a trust decision based on the result of the comparison.
-If your enterprise does not have a allow list of accepted PCR[0] values, then take no action.
+If your enterprise does not have a allow list of accepted PCR[0] values, then take no action.
-If PCR[0] equals an accepted allow list value, then allow access.
+If PCR[0] equals an accepted allow list value, then allow access.
-If PCR[0] does not equal any accepted listed value, then take one of the following actions that align with your enterprise policies:
+If PCR[0] does not equal any accepted listed value, then take one of the following actions that align with your enterprise policies:
- Disallow all access - Direct the device to an enterprise honeypot, to further monitor the device's activities. **SBCPHash** -SBCPHash is the finger print of the Custom Secure Boot Configuration Policy (SBCP) that was loaded during boot in Windows devices, except PCs.
+SBCPHash is the finger print of the Custom Secure Boot Configuration Policy (SBCP) that was loaded during boot in Windows devices, except PCs.
-If SBCPHash is not present, or is an accepted allow-listed value, then allow access. +
If SBCPHash is not present, or is an accepted allow-listed value, then allow access. -
If SBCPHash is present in DHA-Report, and is not a allow-listed value, then take one of the following actions that align with your enterprise policies:
+If SBCPHash is present in DHA-Report, and is not a allow-listed value, then take one of the following actions that align with your enterprise policies:
- Disallow all access - Place the device in a watch list to monitor the device more closely for potential risks. **CIPolicy** -This attribute indicates the Code Integrity policy that is controlling the security of the boot environment.
+This attribute indicates the Code Integrity policy that is controlling the security of the boot environment.
-If CIPolicy is not present, or is an accepted allow-listed value, then allow access.
+If CIPolicy is not present, or is an accepted allow-listed value, then allow access.
-If CIPolicy is present and is not a allow-listed value, then take one of the following actions that align with your enterprise policies:
+If CIPolicy is present and is not a allow-listed value, then take one of the following actions that align with your enterprise policies:
- Disallow all access - Place the device in a watch list to monitor the device more closely for potential risks. **BootRevListInfo** -This attribute identifies the Boot Revision List that was loaded during initial boot on the attested device.
+This attribute identifies the Boot Revision List that was loaded during initial boot on the attested device.
-If reported BootRevListInfo version equals an accepted value, then allow access.
+If reported BootRevListInfo version equals an accepted value, then allow access.
-If reported BootRevListInfo version does not equal an accepted value, then take one of the following actions that align with your enterprise policies:
+If reported BootRevListInfo version does not equal an accepted value, then take one of the following actions that align with your enterprise policies:
- Disallow all access - Direct the device to an enterprise honeypot, to further monitor the device's activities. **OSRevListInfo** -This attribute identifies the Operating System Revision List that was loaded during initial boot on the attested device.
+This attribute identifies the Operating System Revision List that was loaded during initial boot on the attested device.
-If reported OSRevListInfo version equals an accepted value, then allow access.
+If reported OSRevListInfo version equals an accepted value, then allow access.
-If reported OSRevListInfo version does not equal an accepted value, then take one of the following actions that align with your enterprise policies:
+If reported OSRevListInfo version does not equal an accepted value, then take one of the following actions that align with your enterprise policies:
- Disallow all access - Direct the device to an enterprise honeypot, to further monitor the device's activities. **HealthStatusMismatchFlags** -HealthStatusMismatchFlags attribute appears if DHA-Service detects an integrity issue (mismatch) in the DHA-Data it receives from device management solutions, for validation.
+HealthStatusMismatchFlags attribute appears if DHA-Service detects an integrity issue (mismatch) in the DHA-Data it receives from device management solutions, for validation.
-In case of a detected issue a list of impacted DHA-report elements will be listed under the HealthStatusMismatchFlags attribute.
+In case of a detected issue a list of impacted DHA-report elements will be listed under the HealthStatusMismatchFlags attribute.
## **Device HealthAttestation CSP status and error codes** @@ -825,204 +825,204 @@ Each of these are described in further detail in the following sections, along wApplication data
The Store for Business service provides metadata for the applications that have been acquired via the Store for Business. This includes the application identifier that is used to deploy online license applications, artwork for an application that is used to create a company portal, and localized descriptions for applications.
Application data
The Store for Business service provides metadata for the applications that have been acquired via the Store for Business. This includes the application identifier that is used to deploy online license applications, artwork for an application that is used to create a company portal, and localized descriptions for applications.
Licensing models
Offline vs. Online
+Licensing models
Offline vs. Online
Online-licensed applications require connectivity to the Microsoft Store. Users require an Azure Active Directory identity and rely on the store services on the device to be able to acquire an application from the store. It is similar to how applications are acquired from the Microsoft Store using a Microsoft account. Assigning or reclaiming seats for an application require a call to the Store for Business services.
Offline-licensed applications enable an organization to use the application for imaging and for devices that may not have connectivity to the store or may not have Azure Active Directory. Offline-licensed application do not require connectivity to the store, however it can be updated directly from the store if the device has connectivity and the app update policies allow updates to be distributed via the store.
Root node for the Messaging configuration service provider.
+Root node for the Messaging configuration service provider.
**AuditingLevel** -Turns on the "Text" auditing feature.
-The following list shows the supported values:
+Turns on the "Text" auditing feature.
+The following list shows the supported values:
Supported operations are Get and Replace.
+Supported operations are Get and Replace.
**Auditing** -Node for auditing.
-Supported operation is Get.
+Node for auditing.
+Supported operation is Get.
**Messages** -Node for messages.
-Supported operation is Get.
+Node for messages.
+Supported operation is Get.
**Count** -The number of messages to return in the Data setting. The default is 100.
-Supported operations are Get and Replace.
+The number of messages to return in the Data setting. The default is 100.
+Supported operations are Get and Replace.
**RevisionId** -Retrieves messages whose revision ID is greater than RevisionId.
-Supported operations are Get and Replace.
+Retrieves messages whose revision ID is greater than RevisionId.
+Supported operations are Get and Replace.
**Data** -The JSON string of text messages on the device.
-Supported operations are Get and Replace.
+The JSON string of text messages on the device.
+Supported operations are Get and Replace.
**SyncML example** diff --git a/windows/client-management/mdm/mobile-device-enrollment.md b/windows/client-management/mdm/mobile-device-enrollment.md index 6c898afe02..ceacdde6dd 100644 --- a/windows/client-management/mdm/mobile-device-enrollment.md +++ b/windows/client-management/mdm/mobile-device-enrollment.md @@ -140,53 +140,53 @@ The enrollment server can decline enrollment messages using the SOAP Fault formas:
MessageFormat
MENROLL_E_DEVICE_MESSAGE_FORMAT_ERROR
Message format is bad
80180001
s:
MessageFormat
MENROLL_E_DEVICE_MESSAGE_FORMAT_ERROR
Message format is bad
80180001
s:
Authentication
MENROLL_E_DEVICE_AUTHENTICATION_ERROR
User not recognized
80180002
s:
Authentication
MENROLL_E_DEVICE_AUTHENTICATION_ERROR
User not recognized
80180002
s:
Authorization
MENROLL_E_DEVICE_AUTHORIZATION_ERROR
User not allowed to enroll
80180003
s:
Authorization
MENROLL_E_DEVICE_AUTHORIZATION_ERROR
User not allowed to enroll
80180003
s:
CertificateRequest
MENROLL_E_DEVICE_CERTIFCATEREQUEST_ERROR
Failed to get certificate
80180004
s:
CertificateRequest
MENROLL_E_DEVICE_CERTIFCATEREQUEST_ERROR
Failed to get certificate
80180004
s:
EnrollmentServer
MENROLL_E_DEVICE_CONFIGMGRSERVER_ERROR
80180005
s:
EnrollmentServer
MENROLL_E_DEVICE_CONFIGMGRSERVER_ERROR
80180005
a:
InternalServiceFault
MENROLL_E_DEVICE_INTERNALSERVICE_ERROR
The server hit an unexpected issue
80180006
a:
InternalServiceFault
MENROLL_E_DEVICE_INTERNALSERVICE_ERROR
The server hit an unexpected issue
80180006
a:
InvalidSecurity
MENROLL_E_DEVICE_INVALIDSECURITY_ERROR
Cannot parse the security header
80180007
a:
InvalidSecurity
MENROLL_E_DEVICE_INVALIDSECURITY_ERROR
Cannot parse the security header
80180007
DeviceCapReached
MENROLL_E_DEVICECAPREACHED
User already enrolled in too many devices. Delete or unenroll old ones to fix this error. The user can fix it without admin help.
80180013
DeviceCapReached
MENROLL_E_DEVICECAPREACHED
User already enrolled in too many devices. Delete or unenroll old ones to fix this error. The user can fix it without admin help.
80180013
DeviceNotSupported
MENROLL_E_DEVICENOTSUPPORTED
Specific platform (e.g. Windows) or version is not supported. There is no point retrying or calling admin. User could upgrade device.
80180014
DeviceNotSupported
MENROLL_E_DEVICENOTSUPPORTED
Specific platform (e.g. Windows) or version is not supported. There is no point retrying or calling admin. User could upgrade device.
80180014
NotSupported
MENROLL_E_NOTSUPPORTED
Mobile device management generally not supported (would save an admin call)
80180015
NotSupported
MENROLL_E_NOTSUPPORTED
Mobile device management generally not supported (would save an admin call)
80180015
NotEligibleToRenew
MENROLL_E_NOTELIGIBLETORENEW
Device is trying to renew but server rejects the request. Client might show notification for this if Robo fails. Check time on device. The user can fix it by re-enrolling.
80180016
NotEligibleToRenew
MENROLL_E_NOTELIGIBLETORENEW
Device is trying to renew but server rejects the request. Client might show notification for this if Robo fails. Check time on device. The user can fix it by re-enrolling.
80180016
InMaintenance
MENROLL_E_INMAINTENANCE
Account is in maintenance, retry later. The user can retry later, but they may need to contact the admin because they would not know when problem is solved.
80180017
InMaintenance
MENROLL_E_INMAINTENANCE
Account is in maintenance, retry later. The user can retry later, but they may need to contact the admin because they would not know when problem is solved.
80180017
UserLicense
MENROLL_E_USERLICENSE
License of user is in bad state and blocking the enrollment. The user needs to call the admin.
80180018
UserLicense
MENROLL_E_USERLICENSE
License of user is in bad state and blocking the enrollment. The user needs to call the admin.
80180018
InvalidEnrollmentData
MENROLL_E_ENROLLMENTDATAINVALID
The server rejected the enrollment data. The server may not be configured correctly.
80180019
InvalidEnrollmentData
MENROLL_E_ENROLLMENTDATAINVALID
The server rejected the enrollment data. The server may not be configured correctly.
80180019
The root node for the NetworkQoSPolicy configuration service provider.
+The root node for the NetworkQoSPolicy configuration service provider.
**Version** -Specifies the version information. +
Specifies the version information. -
The data type is int. +
The data type is int. -
The only supported operation is Get. +
The only supported operation is Get. ***Name*** -
Node for the QoS policy name. +
Node for the QoS policy name. ***Name*/IPProtocolMatchCondition** -
Specifies the IP protocol used to match the network traffic. +
Specifies the IP protocol used to match the network traffic. -
Valid values are: +
Valid values are: - 0 (default) - Both TCP and UDP - 1 - TCP - 2 - UDP -
The data type is int. +
The data type is int. -
The supported operations are Add, Get, Delete, and Replace. +
The supported operations are Add, Get, Delete, and Replace. ***Name*/AppPathNameMatchCondition** -
Specifies the name of an application to be used to match the network traffic, such as application.exe or %ProgramFiles%\application.exe. +
Specifies the name of an application to be used to match the network traffic, such as application.exe or %ProgramFiles%\application.exe. -
The data type is char. +
The data type is char. -
The supported operations are Add, Get, Delete, and Replace. +
The supported operations are Add, Get, Delete, and Replace. ***Name*/SourcePortMatchCondition** -
Specifies a single port or a range of ports to be used to match the network traffic source. +
Specifies a single port or a range of ports to be used to match the network traffic source. -
Valid values are: +
Valid values are: - A range of source ports: _[first port number]_-_[last port number]_ - A single source port: _[port number]_ -
The data type is char. +
The data type is char. -
The supported operations are Add, Get, Delete, and Replace. +
The supported operations are Add, Get, Delete, and Replace. ***Name*/DestinationPortMatchCondition** -
Specifies a single source port or a range of ports to be used to match the network traffic destination. +
Specifies a single source port or a range of ports to be used to match the network traffic destination. -
Valid values are: +
Valid values are: - A range of destination ports: _[first port number]_-_[last port number]_ - A single destination port: _[port number]_ -
The data type is char. +
The data type is char. -
The supported operations are Add, Get, Delete, and Replace. +
The supported operations are Add, Get, Delete, and Replace. ***Name*/PriorityValue8021Action** -
Specifies the IEEE 802.1p priority value to apply to matching network traffic. +
Specifies the IEEE 802.1p priority value to apply to matching network traffic. -
Valid values are 0-7. +
Valid values are 0-7. -
The data type is int. +
The data type is int. -
The supported operations are Add, Get, Delete, and Replace. +
The supported operations are Add, Get, Delete, and Replace. ***Name*/DSCPAction** -
The differentiated services code point (DSCP) value to apply to matching network traffic. +
The differentiated services code point (DSCP) value to apply to matching network traffic. -
Valid values are 0-63. +
Valid values are 0-63. -
The data type is int. +
The data type is int. -
The supported operations are Add, Get, Delete, and Replace. +
The supported operations are Add, Get, Delete, and Replace. ## Related topics diff --git a/windows/client-management/mdm/oma-dm-protocol-support.md b/windows/client-management/mdm/oma-dm-protocol-support.md index 40757af748..5e8ad6957f 100644 --- a/windows/client-management/mdm/oma-dm-protocol-support.md +++ b/windows/client-management/mdm/oma-dm-protocol-support.md @@ -48,8 +48,8 @@ The following table shows the OMA DM standards that Windows uses.
Data transport and session
Data transport and session
Client-initiated remote HTTPS DM session over SSL.
Remote HTTPS DM session over SSL.
Remote DM server initiation notification using WAP Push over Short Message Service (SMS). Not used by enterprise management.
Bootstrap XML
Bootstrap XML
OMA Client Provisioning XML.
DM protocol commands
The following list shows the commands that are used by the device. For further information about the OMA DM command elements, see "SyncML Representation Protocol Device Management Usage (OMA-SyncML-DMRepPro-V1_1_2-20030613-A)" available from the OMA website.
+DM protocol commands
The following list shows the commands that are used by the device. For further information about the OMA DM command elements, see "SyncML Representation Protocol Device Management Usage (OMA-SyncML-DMRepPro-V1_1_2-20030613-A)" available from the OMA website.
Add (Implicit Add supported)
Alert (DM alert): Generic alert (1226) is used by enterprise management client when the user triggers an MDM unenrollment action from the device or when a CSP finishes some asynchronous actions. Device alert (1224) is used to notify the server some device triggered event.
Meta XML tag in SyncHdr is ignored by the device.
OMA DM standard objects
OMA DM standard objects
DevInfo
DevDetail
OMA DM DMS account objects (OMA DM version 1.2)
Security
Security
Authenticate DM server initiation notification SMS message (not used by enterprise management)
Application layer Basic and MD5 client authentication
Authenticate server with MD5 credential at application level
Nodes
In the OMA DM tree, the following rules apply for the node name:
+Nodes
In the OMA DM tree, the following rules apply for the node name:
"." can be part of the node name.
The node name cannot be empty.
Provisioning Files
Provisioning XML must be well formed and follow the definition in SyncML Representation Protocol specification.
+Provisioning Files
Provisioning XML must be well formed and follow the definition in SyncML Representation Protocol specification.
If an XML element that is not a valid OMA DM command is under SyncBody, the status code 400 is returned for that element.
To represent a Unicode string as a URI, first encode the string as UTF-8. Then encode each of the UTF-8 bytes using URI encoding.
@@ -133,12 +133,12 @@ The following table shows the OMA DM standards that Windows uses.WBXML support
Windows supports sending and receiving SyncML in both XML format and encoded WBXML format. This is configurable by using the DEFAULTENCODING node under the w7 APPLICATION characteristic during enrollment. For more information about WBXML encoding, see section 8 of the SyncML Representation Protocol specification.
WBXML support
Windows supports sending and receiving SyncML in both XML format and encoded WBXML format. This is configurable by using the DEFAULTENCODING node under the w7 APPLICATION characteristic during enrollment. For more information about WBXML encoding, see section 8 of the SyncML Representation Protocol specification.
Handling of large objects
In Windows 10, version 1511, client support for uploading large objects to the server was added.
Handling of large objects
In Windows 10, version 1511, client support for uploading large objects to the server was added.
Chal
Specifies an authentication challenge. The server or client can send a challenge to the other if no credentials or inadequate credentials were given in the original request message.
Chal
Specifies an authentication challenge. The server or client can send a challenge to the other if no credentials or inadequate credentials were given in the original request message.
Cmd
Specifies the name of an OMA DM command referenced in a Status element.
Cmd
Specifies the name of an OMA DM command referenced in a Status element.
CmdID
Specifies the unique identifier for an OMA DM command.
CmdID
Specifies the unique identifier for an OMA DM command.
CmdRef
Specifies the ID of the command for which status or results information is being returned. This element takes the value of the CmdID element of the corresponding request message.
CmdRef
Specifies the ID of the command for which status or results information is being returned. This element takes the value of the CmdID element of the corresponding request message.
Cred
Specifies the authentication credential for the originator of the message.
Cred
Specifies the authentication credential for the originator of the message.
Final
Indicates that the current message is the last message in the package.
Final
Indicates that the current message is the last message in the package.
LocName
Specifies the display name in the Target and Source elements, used for sending a user ID for MD5 authentication.
LocName
Specifies the display name in the Target and Source elements, used for sending a user ID for MD5 authentication.
LocURI
Specifies the address of the target or source location. If the address contains a non-alphanumeric character, it must be properly escaped according to the URL encoding standard.
LocURI
Specifies the address of the target or source location. If the address contains a non-alphanumeric character, it must be properly escaped according to the URL encoding standard.
MsgID
Specifies a unique identifier for an OMA DM session message.
MsgID
Specifies a unique identifier for an OMA DM session message.
MsgRef
Specifies the ID of the corresponding request message. This element takes the value of the request message MsgID element.
MsgRef
Specifies the ID of the corresponding request message. This element takes the value of the request message MsgID element.
RespURI
Specifies the URI that the recipient must use when sending a response to this message.
RespURI
Specifies the URI that the recipient must use when sending a response to this message.
SessionID
Specifies the identifier of the OMA DM session associated with the containing message.
+SessionID
Specifies the identifier of the OMA DM session associated with the containing message.
Source
Specifies the message source address.
Source
Specifies the message source address.
SourceRef
Specifies the source of the corresponding request message. This element takes the value of the request message Source element and is returned in the Status or Results element.
SourceRef
Specifies the source of the corresponding request message. This element takes the value of the request message Source element and is returned in the Status or Results element.
Target
Specifies the address of the node, in the DM Tree, that is the target of the OMA DM command.
Target
Specifies the address of the node, in the DM Tree, that is the target of the OMA DM command.
TargetRef
Specifies the target address in the corresponding request message. This element takes the value of the request message Target element and is returned in the Status or Results element.
TargetRef
Specifies the target address in the corresponding request message. This element takes the value of the request message Target element and is returned in the Status or Results element.
VerDTD
Specifies the major and minor version identifier of the OMA DM representation protocol specification used to represent the message.
VerDTD
Specifies the major and minor version identifier of the OMA DM representation protocol specification used to represent the message.
VerProto
Specifies the major and minor version identifier of the OMA DM protocol specification used with the message.
VerProto
Specifies the major and minor version identifier of the OMA DM protocol specification used with the message.
1
DM client is invoked to call back to the management server
+1
DM client is invoked to call back to the management server
Enterprise scenario – The device task schedule invokes the DM client.
The MO server sends a server trigger message to invoke the DM client.
+The MO server sends a server trigger message to invoke the DM client.
The trigger message includes the server ID and tells the client device to initiate a session with the server. The client device authenticates the trigger message and verifies that the server is authorized to communicate with it.
Enterprise scenario - At the scheduled time, the DM client is invoked periodically to call back to the enterprise management server over HTTPS.
2
The device sends a message, over an IP connection, to initiate the session.
This message includes device information and credentials. The client and server do mutual authentication over an SSL channel or at the DM application level.
2
The device sends a message, over an IP connection, to initiate the session.
This message includes device information and credentials. The client and server do mutual authentication over an SSL channel or at the DM application level.
3
The DM server responds, over an IP connection (HTTPS).
The server sends initial device management commands, if any.
3
The DM server responds, over an IP connection (HTTPS).
The server sends initial device management commands, if any.
4
The device responds to server management commands.
This message includes the results of performing the specified device management operations.
4
The device responds to server management commands.
This message includes the results of performing the specified device management operations.
5
The DM server terminates the session or sends another command.
The DM session ends, or Step 4 is repeated.
5
The DM server terminates the session or sends another command.
The DM session ends, or Step 4 is repeated.
Defines the root node for the Personalization configuration service provider.
+Defines the root node for the Personalization configuration service provider.
**DesktopImageUrl** -Specify a jpg, jpeg or png image to be used as Desktop Image. This setting can take a http or https Url to a remote image to be downloaded, a file Url to a local image.
-Value type is string. Supported operations are Add, Get, Delete, and Replace.
+Specify a jpg, jpeg or png image to be used as Desktop Image. This setting can take a http or https Url to a remote image to be downloaded, a file Url to a local image.
+Value type is string. Supported operations are Add, Get, Delete, and Replace.
**DesktopImageStatus** -Represents the status of the desktop image. Valid values:
+Represents the status of the desktop image. Valid values:
Supporter operation is Get.
+Supporter operation is Get.
> [!Note] > This setting is only used to query status. To set the image, use the DesktopImageUrl setting. **LockScreenImageUrl** -Specify a jpg, jpeg or png image to be used as Lock Screen Image. This setting can take a http or https Url to a remote image to be downloaded, a file Url to a local image.
-Value type is string. Supported operations are Add, Get, Delete, and Replace.
+Specify a jpg, jpeg or png image to be used as Lock Screen Image. This setting can take a http or https Url to a remote image to be downloaded, a file Url to a local image.
+Value type is string. Supported operations are Add, Get, Delete, and Replace.
**LockScreenImageStatus** -Represents the status of the lock screen image. Valid values:
+Represents the status of the lock screen image. Valid values:
Supporter operation is Get.
+Supporter operation is Get.
> [!Note] > This setting is only used to query status. To set the image, use the LockScreenImageUrl setting. diff --git a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md index 6c81fd4df2..1ed663dd10 100644 --- a/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md +++ b/windows/client-management/mdm/policies-in-policy-csp-admx-backed.md @@ -121,6 +121,8 @@ ms.date: 10/08/2020 - [ADMX_CtrlAltDel/DisableTaskMgr](./policy-csp-admx-ctrlaltdel.md#admx-ctrlaltdel-disabletaskmgr) - [ADMX_CtrlAltDel/NoLogoff](./policy-csp-admx-ctrlaltdel.md#admx-ctrlaltdel-nologoff) - [ADMX_DataCollection/CommercialIdPolicy](./policy-csp-admx-datacollection.md#admx-datacollection-commercialidpolicy) +- [ADMX_DCOM/DCOMActivationSecurityCheckAllowLocalList](./policy-csp-admx-dcom.md#admx-dcom-dcomactivationsecuritycheckallowlocallist) +- [ADMX_DCOM/DCOMActivationSecurityCheckExemptionList](./policy-csp-admx-dcom.md#admx-dcom-dcomactivationsecuritycheckexemptionlist) - [ADMX_Desktop/AD_EnableFilter](./policy-csp-admx-desktop.md#admx-desktop-ad-enablefilter) - [ADMX_Desktop/AD_HideDirectoryFolder](./policy-csp-admx-desktop.md#admx-desktop-ad-hidedirectoryfolder) - [ADMX_Desktop/AD_QueryLimit](./policy-csp-admx-desktop.md#admx-desktop-ad-querylimit) @@ -150,6 +152,8 @@ ms.date: 10/08/2020 - [ADMX_Desktop/sz_DB_DragDropClose](./policy-csp-admx-desktop.md#admx-desktop-sz-db-dragdropclose) - [ADMX_Desktop/sz_DB_Moving](./policy-csp-admx-desktop.md#admx-desktop-sz-db-moving) - [ADMX_Desktop/sz_DWP_NoHTMLPaper](./policy-csp-admx-desktop.md#admx-desktop-sz-dwp-nohtmlpaper) +- [ADMX_DeviceCompat/DeviceFlags](./policy-csp-admx-devicecompat.md#admx-devicecompat-deviceflags) +- [ADMX_DeviceCompat/DriverShims](./policy-csp-admx-devicecompat.md#admx-devicecompat-drivershims) - [ADMX_DeviceInstallation/DeviceInstall_AllowAdminInstall](./policy-csp-admx-deviceinstallation.md#admx-deviceinstallation-deviceinstall-allowadmininstall) - [ADMX_DeviceInstallation/DeviceInstall_DeniedPolicy_DetailText](./policy-csp-admx-deviceinstallation.md#admx-deviceinstallation-deviceinstall-deniedpolicy-detailtext) - [ADMX_DeviceInstallation/DeviceInstall_DeniedPolicy_SimpleText](./policy-csp-admx-deviceinstallation.md#admx-deviceinstallation-deviceinstall-deniedpolicy-simpletext) @@ -158,6 +162,7 @@ ms.date: 10/08/2020 - [ADMX_DeviceInstallation/DeviceInstall_Removable_Deny](./policy-csp-admx-deviceinstallation.md#admx-deviceinstallation-deviceinstall-removable-deny) - [ADMX_DeviceInstallation/DeviceInstall_SystemRestore](./policy-csp-admx-deviceinstallation.md#admx-deviceinstallation-deviceinstall-systemrestore) - [ADMX_DeviceInstallation/DriverInstall_Classes_AllowUser](./policy-csp-admx-deviceinstallation.md#admx-deviceinstallation-deviceinstall-classes-allowuser) +- [ADMX_DeviceGuard/ConfigCIPolicy](./policy-csp-admx-deviceguard.md#admx-deviceguard-configcipolicy) - [ADMX_DeviceSetup/DeviceInstall_BalloonTips](./policy-csp-admx-devicesetup.md#admx-devicesetup-deviceinstall-balloontips) - [ADMX_DeviceSetup/DriverSearchPlaces_SearchOrderConfiguration](./policy-csp-admx-devicesetup.md#admx-devicesetup-driversearchplaces-searchorderconfiguration) - [ADMX_DigitalLocker/Digitalx_DiableApplication_TitleText_1](./policy-csp-admx-digitallocker.md#admx-digitallocker-digitalx-diableapplication-titletext-1) @@ -185,6 +190,7 @@ ms.date: 10/08/2020 - [ADMX_DnsClient/DNS_UpdateTopLevelDomainZones](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-updatetopleveldomainzones) - [ADMX_DnsClient/DNS_UseDomainNameDevolution](./policy-csp-admx-dnsclient.md#admx-dnsclient-dns-usedomainnamedevolution) - [ADMX_DnsClient/Turn_Off_Multicast](./policy-csp-admx-dnsclient.md#admx-dnsclient-turn-off-multicast) +- [ADMX_DFS/DFSDiscoverDC](./policy-csp-admx-dfs.md#admx-dfs-dfsdiscoverdc) - [ADMX_DWM/DwmDefaultColorizationColor_1](./policy-csp-admx-dwm.md#admx-dwm-dwmdefaultcolorizationcolor-1) - [ADMX_DWM/DwmDefaultColorizationColor_2](./policy-csp-admx-dwm.md#admx-dwm-dwmdefaultcolorizationcolor-2) - [ADMX_DWM/DwmDisallowAnimations_1](./policy-csp-admx-dwm.md#admx-dwm-dwmdisallowanimations-1) @@ -203,6 +209,7 @@ ms.date: 10/08/2020 - [ADMX_EAIME/L_TurnOnLexiconUpdate](./policy-csp-admx-eaime.md#admx-eaime-l-turnonlexiconupdate) - [ADMX_EAIME/L_TurnOnLiveStickers](./policy-csp-admx-eaime.md#admx-eaime-l-turnonlivestickers) - [ADMX_EAIME/L_TurnOnMisconversionLoggingForMisconversionReport](./policy-csp-admx-eaime.md#admx-eaime-l-turnonmisconversionloggingformisconversionreport) +- [ADMX_EventLogging/EnableProtectedEventLogging](./policy-csp-admx-eventlogging.md#admx-eventlogging-enableprotectedeventlogging) - [ADMX_EncryptFilesonMove/NoEncryptOnMove](./policy-csp-admx-encryptfilesonmove.md#admx-encryptfilesonmove-noencryptonmove) - [ADMX_EnhancedStorage/ApprovedEnStorDevices](./policy-csp-admx-enhancedstorage.md#admx-enhancedstorage-approvedenstordevices) - [ADMX_EnhancedStorage/ApprovedSilos](./policy-csp-admx-enhancedstorage.md#admx-enhancedstorage-approvedsilos) @@ -262,22 +269,29 @@ ms.date: 10/08/2020 - [ADMX_EventLog/Channel_Log_Retention_2](./policy-csp-admx-eventlog.md#admx-eventlog-channel-log-retention-2) - [ADMX_EventLog/Channel_Log_Retention_3](./policy-csp-admx-eventlog.md#admx-eventlog-channel-log-retention-3) - [ADMX_EventLog/Channel_Log_Retention_4](./policy-csp-admx-eventlog.md#admx-eventlog-channel-log-retention-4) +- [ADMX_EventViewer/EventViewer_RedirectionProgram](./policy-csp-admx-eventviewer.md#admx-eventviewer-eventviewer_redirectionprogram) +- [ADMX_EventViewer/EventViewer_RedirectionProgramCommandLineParameters](./policy-csp-admx-eventviewer.md#admx-eventviewer-eventviewer_redirectionprogramcommandlineparameters) +- [ADMX_EventViewer/EventViewer_RedirectionURL](./policy-csp-admx-eventviewer.md#admx-eventviewer-eventviewer_redirectionurl) - [ADMX_Explorer/AdminInfoUrl](./policy-csp-admx-explorer.md#admx-explorer-admininfourl) - [ADMX_Explorer/AlwaysShowClassicMenu](./policy-csp-admx-explorer.md#admx-explorer-alwaysshowclassicmenu) - [ADMX_Explorer/DisableRoamedProfileInit](./policy-csp-admx-explorer.md#admx-explorer-disableroamedprofileinit) - [ADMX_Explorer/PreventItemCreationInUsersFilesFolder](./policy-csp-admx-explorer.md#admx-explorer-preventitemcreationinusersfilesfolder) - [ADMX_Explorer/TurnOffSPIAnimations](./policy-csp-admx-explorer.md#admx-explorer-turnoffspianimations) +- [ADMX_ExternalBoot/PortableOperatingSystem_Hibernate](./policy-csp-admx-externalboot.md#admx-externalboot-portableoperatingsystem_hibernate) +- [ADMX_ExternalBoot/PortableOperatingSystem_Sleep](./policy-csp-admx-externalboot.md#admx-externalboot-portableoperatingsystem_sleep) +- [ADMX_ExternalBoot/PortableOperatingSystem_Launcher](./policy-csp-admx-externalboot.md#admx-externalboot-portableoperatingsystem_launcher) - [ADMX_FileRecovery/WdiScenarioExecutionPolicy](./policy-csp-admx-filerecovery.md#admx-filerecovery-wdiscenarioexecutionpolicy) - [ADMX_FileServerVSSProvider/Pol_EncryptProtocol](./policy-csp-admx-fileservervssprovider.md#admx-fileservervssprovider-pol-encryptprotocol) - [ADMX_FileSys/DisableCompression](./policy-csp-admx-filesys.md#admx-filesys-disablecompression) - [ADMX_FileSys/DisableDeleteNotification](./policy-csp-admx-filesys.md#admx-filesys-disabledeletenotification) -- ADMX_FileSys/DisableEncryption](./policy-csp-admx-filesys.md#admx-filesys-disableencryption) +- [ADMX_FileSys/DisableEncryption](./policy-csp-admx-filesys.md#admx-filesys-disableencryption) - [ADMX_FileSys/EnablePagefileEncryption](./policy-csp-admx-filesys.md#admx-filesys-enablepagefileencryption) - [ADMX_FileSys/LongPathsEnabled](./policy-csp-admx-filesys.md#admx-filesys-longpathsenabled) - [ADMX_FileSys/ShortNameCreationSettings](./policy-csp-admx-filesys.md#admx-filesys-shortnamecreationsettings) - [ADMX_FileSys/SymlinkEvaluation](./policy-csp-admx-filesys.md#admx-filesys-symlinkevaluation) - [ADMX_FileSys/TxfDeprecatedFunctionality](./policy-csp-admx-filesys.md#admx-filesys-txfdeprecatedfunctionality) - [ADMX_FileRecovery/WdiScenarioExecutionPolicy](./policy-csp-admx-filerecovery.md#admx-filerecovery-wdiscenarioexecutionpolicy) +- [ADMX_FileRevocation/DelegatedPackageFamilyNames](./policy-csp-admx-filerevocation.md#admx-filerevocation-delegatedpackagefamilynames) - [ADMX_FolderRedirection/DisableFRAdminPin](./policy-csp-admx-folderredirection.md#admx-folderredirection-disablefradminpin) - [ADMX_FolderRedirection/DisableFRAdminPinByFolder](./policy-csp-admx-folderredirection.md#admx-folderredirection-disablefradminpinbyfolder) - [ADMX_FolderRedirection/FolderRedirectionEnableCacheRename](./policy-csp-admx-folderredirection.md#admx-folderredirection-folderredirectionenablecacherename) @@ -285,6 +299,9 @@ ms.date: 10/08/2020 - [ADMX_FolderRedirection/LocalizeXPRelativePaths_2](./policy-csp-admx-folderredirection.md#admx-folderredirection-localizexprelativepaths-2) - [ADMX_FolderRedirection/PrimaryComputer_FR_1](./policy-csp-admx-folderredirection.md#admx-folderredirection-primarycomputer-fr-1) - [ADMX_FolderRedirection/PrimaryComputer_FR_2](./policy-csp-admx-folderredirection.md#admx-folderredirection-primarycomputer-fr-2) +- [ADMX_FramePanes/NoReadingPane](./policy-csp-admx-framepanes.md#admx-framepanes-noreadingpane) +- [ADMX_FramePanes/NoPreviewPane](./policy-csp-admx-framepanes.md#admx-framepanes-nopreviewpane) +- [ADMX_FTHSVC/WdiScenarioExecutionPolicy](./policy-csp-admx-fthsvc.md#admx-fthsvc-wdiscenarioexecutionpolicy) - [ADMX_Globalization/BlockUserInputMethodsForSignIn](./policy-csp-admx-globalization.md#admx-globalization-blockuserinputmethodsforsignin) - [ADMX_Globalization/CustomLocalesNoSelect_1](./policy-csp-admx-globalization.md#admx-globalization-customlocalesnoselect-1) - [ADMX_Globalization/CustomLocalesNoSelect_2](./policy-csp-admx-globalization.md#admx-globalization-customlocalesnoselect-2) @@ -386,6 +403,7 @@ ms.date: 10/08/2020 - [ADMX_ICM/ShellRemovePublishToWeb_2](./policy-csp-admx-icm.md#admx-icm-shellremovepublishtoweb-2) - [ADMX_ICM/WinMSG_NoInstrumentation_1](./policy-csp-admx-icm.md#admx-icm-winmsg_noinstrumentation-1) - [ADMX_ICM/WinMSG_NoInstrumentation_2](./policy-csp-admx-icm.md#admx-icm-winmsg_noinstrumentation-2) +- [ADMX_IIS/PreventIISInstall](./policy-csp-admx-iis.md#admx-iis-preventiisinstall) - [ADMX_kdc/CbacAndArmor](./policy-csp-admx-kdc.md#admx-kdc-cbacandarmor) - [ADMX_kdc/ForestSearch](./policy-csp-admx-kdc.md#admx-kdc-forestsearch) - [ADMX_kdc/PKINITFreshness](./policy-csp-admx-kdc.md#admx-kdc-pkinitfreshness) @@ -407,8 +425,10 @@ ms.date: 10/08/2020 - [ADMX_LanmanWorkstation/Pol_CipherSuiteOrder](./policy-csp-admx-lanmanworkstation.md#admx-lanmanworkstation-pol-ciphersuiteorder) - [ADMX_LanmanWorkstation/Pol_EnableHandleCachingForCAFiles](./policy-csp-admx-lanmanworkstation.md#admx-lanmanworkstation-pol-enablehandlecachingforcafiles) - [ADMX_LanmanWorkstation/Pol_EnableOfflineFilesforCAShares](./policy-csp-admx-lanmanworkstation.md#admx-lanmanworkstation-pol-enableofflinefilesforcashares) +- [ADMX_LeakDiagnostic/WdiScenarioExecutionPolicy](./policy-csp-admx-leakdiagnostic.md#admx-leakdiagnostic-wdiscenarioexecutionpolicy) - [ADMX_LinkLayerTopologyDiscovery/LLTD_EnableLLTDIO](./policy-csp-admx-linklayertopologydiscovery.md#admx-linklayertopologydiscovery-lltd-enablelltdio) - [ADMX_LinkLayerTopologyDiscovery/LLTD_EnableRspndr](./policy-csp-admx-linklayertopologydiscovery.md#admx-linklayertopologydiscovery-lltd-enablerspndr) +- [ADMX_LocationProviderAdm/DisableWindowsLocationProvider_1](./policy-csp-admx-locationprovideradm.md#admx-locationprovideradm-disablewindowslocationprovider_1) - [ADMX_Logon/BlockUserFromShowingAccountDetailsOnSignin](./policy-csp-admx-logon.md#admx-logon-blockuserfromshowingaccountdetailsonsignin) - [ADMX_Logon/DisableAcrylicBackgroundOnLogon](./policy-csp-admx-logon.md#admx-logon-disableacrylicbackgroundonlogon) - [ADMX_Logon/DisableExplorerRunLegacy_1](./policy-csp-admx-logon.md#admx-logon-disableexplorerrunlegacy-1) @@ -864,6 +884,7 @@ ms.date: 10/08/2020 - [ADMX_Programs/NoProgramsCPL](./policy-csp-admx-programs.md#admx-programs-noprogramscpl) - [ADMX_Programs/NoWindowsFeatures](./policy-csp-admx-programs.md#admx-programs-nowindowsfeatures) - [ADMX_Programs/NoWindowsMarketplace](./policy-csp-admx-programs.md#admx-programs-nowindowsmarketplace) +- [ADMX_Radar/WdiScenarioExecutionPolicy](./policy-csp-admx-radar.md#admx-radar-wdiscenarioexecutionpolicy) - [ADMX_Reliability/EE_EnablePersistentTimeStamp](./policy-csp-admx-reliability.md#admx-reliability-ee-enablepersistenttimestamp) - [ADMX_Reliability/PCH_ReportShutdownEvents](./policy-csp-admx-reliability.md#admx-reliability-pch-reportshutdownevents) - [ADMX_Reliability/ShutdownEventTrackerStateFile](./policy-csp-admx-reliability.md#admx-reliability-shutdowneventtrackerstatefile) @@ -921,12 +942,17 @@ ms.date: 10/08/2020 - [ADMX_sdiageng/BetterWhenConnected](./policy-csp-admx-sdiageng.md#admx-sdiageng-betterwhenconnected) - [ADMX_sdiageng/ScriptedDiagnosticsExecutionPolicy](./policy-csp-admx-sdiageng.md#admx-sdiageng-scripteddiagnosticsexecutionpolicy) - [ADMX_sdiageng/ScriptedDiagnosticsSecurityPolicy](./policy-csp-admx-sdiageng.md#admx-sdiageng-scripteddiagnosticssecuritypolicy) +- [ADMX_sdiagschd/ScheduledDiagnosticsExecutionPolicy](./policy-csp-admx-sdiagschd.md#admx-sdiagschd-scheduleddiagnosticsexecutionpolicy) - [ADMX_Securitycenter/SecurityCenter_SecurityCenterInDomain](/policy-csp-admx-securitycenter.md#admx-securitycenter-securitycenter-securitycenterindomain) - [ADMX_Sensors/DisableLocationScripting_1](./policy-csp-admx-sensors.md#admx-sensors-disablelocationscripting-1) - [ADMX_Sensors/DisableLocationScripting_2](./policy-csp-admx-sensors.md#admx-sensors-disablelocationscripting-2) - [ADMX_Sensors/DisableLocation_1](./policy-csp-admx-sensors.md#admx-sensors-disablelocation-1) - [ADMX_Sensors/DisableSensors_1](./policy-csp-admx-sensors.md#admx-sensors-disablesensors-1) - [ADMX_Sensors/DisableSensors_2](./policy-csp-admx-sensors.md#admx-sensors-disablesensors-2) +- [ADMX_ServerManager/Do_not_display_Manage_Your_Server_page](./policy-csp-admx-servermanager.md#admx-servermanager-do_not_display_manage_your_server_page) +- [ADMX_ServerManager/ServerManagerAutoRefreshRate](./policy-csp-admx-servermanager.md#admx-servermanager-servermanagerautorefreshrate) +- [ADMX_ServerManager/DoNotLaunchInitialConfigurationTasks](./policy-csp-admx-servermanager.md#admx-servermanager-donotlaunchinitialconfigurationtasks) +- [ADMX_ServerManager/DoNotLaunchServerManager](./policy-csp-admx-servermanager.md#admx-servermanager-donotlaunchservermanager) - [ADMX_Servicing/Servicing](./policy-csp-admx-servicing.md#admx-servicing-servicing) - [ADMX_SettingSync/DisableAppSyncSettingSync](./policy-csp-admx-settingsync.md#admx-settingsync-disableappsyncsettingsync) - [ADMX_SettingSync/DisableApplicationSettingSync](./policy-csp-admx-settingsync.md#admx-settingsync-disableapplicationsettingsync) @@ -964,6 +990,8 @@ ms.date: 10/08/2020 - [ADMX_Snmp/SNMP_Communities](./policy-csp-admx-snmp.md#admx-snmp-snmp-communities) - [ADMX_Snmp/SNMP_PermittedManagers](./policy-csp-admx-snmp.md#admx-snmp-snmp-permittedmanagers) - [ADMX_Snmp/SNMP_Traps_Public](./policy-csp-admx-snmp.md#admx-snmp-snmp-traps-public) +- [ADMX_SoundRec/Soundrec_DiableApplication_TitleText_1](./policy-csp-admx-soundrec.md#admx-soundrec-soundrec_diableapplication_titletext_1) +- [ADMX_SoundRec/Soundrec_DiableApplication_TitleText_2](./policy-csp-admx-soundrec.md#admx-soundrec-soundrec_diableapplication_titletext_2) - [ADMX_StartMenu/AddSearchInternetLinkInStartMenu](./policy-csp-admx-startmenu.md#admx-startmenu-addsearchinternetlinkinstartmenu) - [ADMX_StartMenu/ClearRecentDocsOnExit](./policy-csp-admx-startmenu.md#admx-startmenu-clearrecentdocsonexit) - [ADMX_StartMenu/ClearRecentProgForNewUserInStartMenu](./policy-csp-admx-startmenu.md#admx-startmenu-clearrecentprogfornewuserinstartmenu) @@ -1747,4 +1775,4 @@ ms.date: 10/08/2020 ## Related topics -[Policy CSP](policy-configuration-service-provider.md) \ No newline at end of file +[Policy CSP](policy-configuration-service-provider.md) diff --git a/windows/client-management/mdm/policy-configuration-service-provider.md b/windows/client-management/mdm/policy-configuration-service-provider.md index da0f0543dc..36e8c12a73 100644 --- a/windows/client-management/mdm/policy-configuration-service-provider.md +++ b/windows/client-management/mdm/policy-configuration-service-provider.md @@ -48,24 +48,24 @@ The following diagram shows the Policy configuration service provider in tree fo **./Vendor/MSFT/Policy** -The root node for the Policy configuration service provider. +
The root node for the Policy configuration service provider. -
Supported operation is Get. +
Supported operation is Get. **Policy/Config** -
Node for grouping all policies configured by one source. The configuration source can use this path to set policy values and later query any policy value that it previously set. One policy can be configured by multiple configuration sources. If a configuration source wants to query the result of conflict resolution (for example, if Exchange and MDM both attempt to set a value,) the configuration source can use the Policy/Result path to retrieve the resulting value. +
Node for grouping all policies configured by one source. The configuration source can use this path to set policy values and later query any policy value that it previously set. One policy can be configured by multiple configuration sources. If a configuration source wants to query the result of conflict resolution (for example, if Exchange and MDM both attempt to set a value,) the configuration source can use the Policy/Result path to retrieve the resulting value. -
Supported operation is Get. +
Supported operation is Get. **Policy/Config/_AreaName_** -
The area group that can be configured by a single technology for a single provider. Once added, you cannot change the value. +
The area group that can be configured by a single technology for a single provider. Once added, you cannot change the value. -
Supported operations are Add, Get, and Delete. +
Supported operations are Add, Get, and Delete. **Policy/Config/_AreaName/PolicyName_** -
Specifies the name/value pair used in the policy. +
Specifies the name/value pair used in the policy. -
The following list shows some tips to help you when configuring policies: +
The following list shows some tips to help you when configuring policies: - Separate substring values by the Unicode &\#xF000; in the XML file. @@ -77,59 +77,59 @@ The following diagram shows the Policy configuration service provider in tree fo - Value type is string. **Policy/Result** -
Groups the evaluated policies from all providers that can be configured. +
Groups the evaluated policies from all providers that can be configured. -
Supported operation is Get. +
Supported operation is Get. **Policy/Result/_AreaName_** -
The area group that can be configured by a single technology independent of the providers. +
The area group that can be configured by a single technology independent of the providers. -
Supported operation is Get. +
Supported operation is Get. **Policy/Result/_AreaName/PolicyName_** -
Specifies the name/value pair used in the policy. +
Specifies the name/value pair used in the policy. -
Supported operation is Get. +
Supported operation is Get. **Policy/ConfigOperations** -
Added in Windows 10, version 1703. The root node for grouping different configuration operations. +
Added in Windows 10, version 1703. The root node for grouping different configuration operations. -
Supported operations are Add, Get, and Delete. +
Supported operations are Add, Get, and Delete. **Policy/ConfigOperations/ADMXInstall** -
Added in Windows 10, version 1703. Allows settings for ADMX files for Win32 and Desktop Bridge apps to be imported (ingested) by your device and processed into new ADMX-backed policies or preferences. By using ADMXInstall, you can add ADMX-backed policies for those Win32 or Desktop Bridge apps that have been added between OS releases. ADMX-backed policies are ingested to your device by using the Policy CSP URI: ./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall. Each ADMX-backed policy or preference that is added is assigned a unique ID. For more information about using Policy CSP to configure Win32 and Desktop Bridge app policies, see Win32 and Desktop Bridge app policy configuration.
+
Added in Windows 10, version 1703. Allows settings for ADMX files for Win32 and Desktop Bridge apps to be imported (ingested) by your device and processed into new ADMX-backed policies or preferences. By using ADMXInstall, you can add ADMX-backed policies for those Win32 or Desktop Bridge apps that have been added between OS releases. ADMX-backed policies are ingested to your device by using the Policy CSP URI: ./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall. Each ADMX-backed policy or preference that is added is assigned a unique ID. For more information about using Policy CSP to configure Win32 and Desktop Bridge app policies, see Win32 and Desktop Bridge app policy configuration.
> [!NOTE]
> The OPAX settings that are managed by the Microsoft Office Customization Tool are not supported by MDM. For more information about this tool, see [Office Customization Tool](/previous-versions/office/office-2013-resource-kit/cc179097(v=office.15)).
-
ADMX files that have been installed by using **ConfigOperations/ADMXInstall** can later be deleted by using the URI delete operation. Deleting an ADMX file will delete the ADMX file from disk, remove the metadata from the ADMXdefault registry hive, and delete all the policies that were set from the file. The MDM server can also delete all ADMX policies that are tied to a particular app by calling delete on the URI, ./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/{AppName}.
+
ADMX files that have been installed by using **ConfigOperations/ADMXInstall** can later be deleted by using the URI delete operation. Deleting an ADMX file will delete the ADMX file from disk, remove the metadata from the ADMXdefault registry hive, and delete all the policies that were set from the file. The MDM server can also delete all ADMX policies that are tied to a particular app by calling delete on the URI, ./Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/{AppName}.
-
Supported operations are Add, Get, and Delete. +
Supported operations are Add, Get, and Delete. **Policy/ConfigOperations/ADMXInstall/_AppName_** -
Added in Windows 10, version 1703. Specifies the name of the Win32 or Desktop Bridge app associated with the ADMX file. +
Added in Windows 10, version 1703. Specifies the name of the Win32 or Desktop Bridge app associated with the ADMX file. -
Supported operations are Add, Get, and Delete. +
Supported operations are Add, Get, and Delete. **Policy/ConfigOperations/ADMXInstall/_AppName_/Policy** -
Added in Windows 10, version 1703. Specifies that a Win32 or Desktop Bridge app policy is to be imported. +
Added in Windows 10, version 1703. Specifies that a Win32 or Desktop Bridge app policy is to be imported. -
Supported operations are Add, Get, and Delete. +
Supported operations are Add, Get, and Delete. **Policy/ConfigOperations/ADMXInstall/_AppName_/Policy/_UniqueID_** -
Added in Windows 10, version 1703. Specifies the unique ID of the app ADMX file that contains the policy to import. +
Added in Windows 10, version 1703. Specifies the unique ID of the app ADMX file that contains the policy to import. -
Supported operations are Add and Get. Does not support Delete. +
Supported operations are Add and Get. Does not support Delete. **Policy/ConfigOperations/ADMXInstall/_AppName_/Preference** -
Added in Windows 10, version 1703. Specifies that a Win32 or Desktop Bridge app preference is to be imported. +
Added in Windows 10, version 1703. Specifies that a Win32 or Desktop Bridge app preference is to be imported. -
Supported operations are Add, Get, and Delete. +
Supported operations are Add, Get, and Delete. **Policy/ConfigOperations/ADMXInstall/_AppName_/Preference/_UniqueID_** -
Added in Windows 10, version 1703. Specifies the unique ID of the app ADMX file that contains the preference to import. +
Added in Windows 10, version 1703. Specifies the unique ID of the app ADMX file that contains the preference to import. -
Supported operations are Add and Get. Does not support Delete. +
Supported operations are Add and Get. Does not support Delete. ## Policies @@ -555,7 +555,18 @@ The following diagram shows the Policy configuration service provider in tree fo -### ADMX_Desktop policies +### ADMX_DCOM policies + +
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - 1 |
-|||
| Business | -1 |
+ Yes | +Yes | |
| Enterprise | -1 |
+ Yes | +Yes | |
| Education | -1 |
-Yes | +Yes | +
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | No | |
| Pro | - |
-|||
| Business | - |
+ Yes, starting in Windows 10, version 1607 | Yes | |
| Enterprise | - |
+ Yes, starting in Windows 10, version 1607 | Yes | |
| Education | - |
-Yes, starting in Windows 10, version 1607 | Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
-|||
| Business | - |
+ Yes | +Yes | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes | |
| Mobile | - |
+ Yes | +Yes | |
| Mobile Enterprise | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ Yes | +Yes | |
| Business | - |
+ Yes | +Yes | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes | |
| Mobile | - |
+ Yes | +Yes | |
| Mobile Enterprise | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | -2 |
+ Yes | +Yes | |
| Business | -2 |
+ Yes | +Yes | |
| Enterprise | -2 |
+ Yes | +Yes | |
| Education | -2 |
+ Yes | +Yes | |
| Mobile | -2 |
+ Yes | +Yes | |
| Mobile Enterprise | -2 |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | No | |
| Pro | - |
-|||
| Business | - |
+ Yes | +Yes | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
-Yes | +Yes |
| Windows Edition | -Supported? | -Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|
| Home | - |
+ No | +No |
| Pro | - |
-||
| Business | - |
+ Yes | +Yes |
| Enterprise | - |
+ Yes | +Yes |
| Education | - |
-Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
-Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Edition | -Supported? | ||
|---|---|---|---|
| Home | - |
+ No | +No |
| Pro | - |
+ No | +No |
| Business | - |
+ No | +No |
| Enterprise | - |
+ Yes | +Yes |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
-Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | +|
| Business | - |
+ No | +No | +|
| Enterprise | - |
+ Yes | +Yes | +|
| Education | - |
+ Yes | +Yes | +
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | +|
| Pro | - |
+ No | +No | +|
| Business | - |
+ No | +No | +|
| Enterprise | - |
+ Yes | +Yes | +|
| Education | - |
+ Yes | +Yes | +
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 | +
|---|---|---|---|---|
| Home | - |
+ No | +No | +|
| Pro | - |
+ No | +No | +|
| Business | - |
+ No | +No | +|
| Enterprise | - |
+ Yes | +Yes | +|
| Education | - |
+ Yes | +Yes | +
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | +|
| Pro | - |
+ No | +No | +|
| Business | - |
+ No | +No | +|
| Enterprise | - |
+ Yes | +Yes | +|
| Education | - |
+ Yes | +Yes | +
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | +|
| Pro | - |
+ No | +No | +|
| Business | - |
+ No | +No | +|
| Enterprise | - |
+ Yes | +Yes | +|
| Education | - |
+ Yes | +Yes | +
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | +|
| Pro | - |
+ No | +No | +|
| Business | - |
+ No | +No | +|
| Enterprise | - |
+ Yes | +Yes | +|
| Education | - |
+ Yes | +Yes | +
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | +|
| Pro | - |
+ No | +No | +|
| Business | - |
+ No | +No | +|
| Enterprise | - |
+ Yes | +Yes | +|
| Education | - |
+ Yes | +Yes | +
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | +|
| Pro | - |
+ No | +No | +|
| Business | - |
+ No | +No | +|
| Enterprise | - |
+ Yes | +Yes | +|
| Education | - |
+ Yes | +Yes | +
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | +|
| Pro | - |
+ No | +No | +|
| Business | - |
+ No | +No | +|
| Enterprise | - |
+ Yes | +Yes | +|
| Education | - |
+ Yes | +Yes | +
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | +|
| Pro | - |
+ No | +No | +|
| Business | - |
+ No | +No | +|
| Enterprise | - |
+ Yes | +Yes | +|
| Education | - |
+ Yes | +Yes | +
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | +|
| Pro | - |
+ No | +No | +|
| Business | - |
+ No | +No | +|
| Enterprise | - |
+ Yes | +Yes | +|
| Education | - |
+ Yes | +Yes | +
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | +|
| Pro | - |
+ No | +No | +|
| Business | - |
+ No | +No | +|
| Enterprise | - |
+ Yes | +Yes | +|
| Education | - |
+ Yes | +Yes | +
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | +|
| Pro | - |
+ No | +No | +|
| Business | - |
+ No | +No | +|
| Enterprise | - |
+ Yes | +Yes | +|
| Education | - |
+ Yes | +Yes | +
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | +|
| Pro | - |
+ No | +No | +|
| Business | - |
+ No | +No | +|
| Enterprise | - |
+ Yes | +Yes | +|
| Education | - |
+ Yes | +Yes | +
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | +|
| Pro | - |
+ No | +No | +|
| Business | - |
+ No | +No | +|
| Enterprise | - |
+ Yes | +Yes | +|
| Education | - |
+ Yes | +Yes | +
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | +|
| Pro | - |
+ No | +No | +|
| Business | - |
+ No | +No | +|
| Enterprise | - |
+ Yes | +Yes | +|
| Education | - |
+ Yes | +Yes | +
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | +|
| Pro | - |
+ No | +No | +|
| Business | - |
+ No | +No | +|
| Enterprise | - |
+ Yes | +Yes | +|
| Education | - |
+ Yes | +Yes | +
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | +|
| Pro | - |
+ No | +No | +|
| Business | - |
+ No | +No | +|
| Enterprise | - |
+ Yes | +Yes | +|
| Education | - |
+ Yes | +Yes | +
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | +|
| Pro | - |
+ No | +No | +|
| Business | - |
+ No | +No | +|
| Enterprise | - |
+ Yes | +Yes | +|
| Education | - |
+ Yes | +Yes | +
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | @@ -1455,19 +1555,27 @@ ADMX Info:||||
| Pro | - |
+ No | +No | +|
| Business | - |
+ No | +No | +|
| Enterprise | - |
+ Yes | +Yes | +|
| Education | - |
+ Yes | +Yes | +
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | +|
| Pro | - |
+ No | +No | +|
| Business | - |
+ No | +No | +|
| Enterprise | - |
+ Yes | +Yes | +|
| Education | - |
+ Yes | +Yes | +
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | +|
| Pro | - |
+ No | +No | +|
| Business | - |
+ No | +No | +|
| Enterprise | - |
+ Yes | +Yes | +|
| Education | - |
+ Yes | +Yes | +
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | +|
| Pro | - |
+ No | +No | +|
| Business | - |
+ No | +No | +|
| Enterprise | - |
+ Yes | +Yes | +|
| Education | - |
+ Yes | +Yes | +
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | +|
| Pro | - |
+ No | +No | +|
| Business | - |
+ No | +No | +|
| Enterprise | - |
+ Yes | +Yes | +|
| Education | - |
+ Yes | +Yes | +
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | +|
| Pro | - |
+ No | +No | +|
| Business | - |
+ No | +No | +|
| Enterprise | - |
+ Yes | +Yes | +|
| Education | - |
+ Yes | +Yes | +
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 | |
|---|---|---|---|---|---|
| Home | - |
+ No | +No | +||
| Pro | - |
+ No | +No | +||
| Business | - |
+ No | +No | +||
| Enterprise | - |
+ Yes | +Yes | +||
| Education | - |
+ Yes | +Yes | +
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | +|
| Pro | - |
+ No | +No | +|
| Business | - |
+ No | +No | +|
| Enterprise | - |
+ Yes | +Yes | +|
| Education | - |
+ Yes | +Yes | +
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | +|
| Pro | - |
+ No | +No | +|
| Business | - |
+ No | +No | +|
| Enterprise | - |
+ Yes | +Yes | +|
| Education | - |
+ Yes | +Yes | +
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | +|
| Pro | - |
+ No | +No | +|
| Business | - |
+ No | +No | +|
| Enterprise | - |
+ Yes | +Yes | +|
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | +|
| Pro | - |
+ No | +No | +|
| Business | - |
+ No | +No | +|
| Enterprise | - |
+ Yes | +Yes | +|
| Education | - |
+ Yes | +Yes | +
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | +|
| Pro | - |
+ No | +No | +|
| Business | - |
+ No | +No | +|
| Enterprise | - |
+ Yes | +Yes | +|
| Education | - |
+ Yes | +Yes | +
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | +|
| Pro | - |
+ No | +No | +|
| Business | - |
+ No | +No | +|
| Enterprise | - |
+ Yes | +Yes | +|
| Education | - |
+ Yes | +Yes | +
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | +|
| Pro | - |
+ No | +No | +|
| Business | - |
+ No | +No | +|
| Enterprise | - |
+ Yes | +Yes | +|
| Education | - |
+ Yes | +Yes | +
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | +|
| Pro | - |
+ No | +No | +|
| Business | - |
+ No | +No | +|
| Enterprise | - |
+ Yes | +Yes | +|
| Education | - |
+ Yes | +Yes | +
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | +|
| Pro | - |
+ No | +No | +|
| Business | - |
+ No | +No | +|
| Enterprise | - |
+ Yes | +Yes | +|
| Education | - |
+ Yes | +Yes | +
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | +|
| Pro | - |
+ No | +No | +|
| Business | - |
+ No | +No | +|
| Enterprise | - |
+ Yes | +Yes | +|
| Education | - |
+ Yes | +Yes | +
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | +|
| Pro | - |
+ No | +No | +|
| Business | - |
+ No | +No | +|
| Enterprise | - |
+ Yes | +Yes | +|
| Education | - |
+ Yes | +Yes | +
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | +|
| Pro | - |
+ No | +No | +|
| Business | - |
+ No | +No | +|
| Enterprise | - |
+ Yes | +Yes | +|
| Education | - |
+ Yes | +Yes | +
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | +|
| Pro | - |
+ No | +No | +|
| Business | - |
+ No | +No | +|
| Enterprise | - |
+ Yes | +Yes | +|
| Education | - |
+ Yes | +Yes | +
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | +|
| Pro | - |
+ No | +No | +|
| Business | - |
+ No | +No | +|
| Enterprise | - |
+ Yes | +Yes | +|
| Education | - |
+ Yes | +Yes | +
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | +|
| Pro | - |
+ No | +No | +|
| Business | - |
+ No | +No | +|
| Enterprise | - |
+ Yes | +Yes | +|
| Education | - |
+ Yes | +Yes | +
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | +|
| Pro | - |
+ No | +No | +|
| Business | - |
+ No | +No | +|
| Enterprise | - |
+ Yes | +Yes | +|
| Education | - |
+ Yes | +Yes | +
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | +|
| Pro | - |
+ No | +No | +|
| Business | - |
+ No | +No | +|
| Enterprise | - |
+ Yes | +Yes | +|
| Education | - |
+ Yes | +Yes | +
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | +|
| Pro | - |
+ No | +No | +|
| Business | - |
+ No | +No | +|
| Enterprise | - |
+ Yes | +Yes | +|
| Education | - |
+ Yes | +Yes | +
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | +|
| Pro | - |
+ No | +No | +|
| Business | - |
+ No | +No | +|
| Enterprise | - |
+ Yes | +Yes | +|
| Education | - |
+ Yes | +Yes | +
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Edition | +Windows 10 | +Windows 11 | +
|---|---|---|
| Home | +No | +No | +
| Pro | +No | +No | +
| Business | +No | +No | +
| Enterprise | +Yes | +Yes | +
| Education | +Yes | +Yes | +
| Edition | +Windows 10 | +Windows 11 | +
|---|---|---|
| Home | +No | +No | +
| Pro | +No | +No | +
| Business | +No | +No | +
| Enterprise | +Yes | +Yes | +
| Education | +Yes | +Yes | +
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
-Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
-Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Edition | +Windows 10 | +Windows 11 | +
|---|---|---|
| Home | +No | +No | +
| Pro | +No | +No | +
| Business | +No | +No | +
| Enterprise | +Yes | +Yes | +
| Education | +Yes | +Yes | +
| Edition | +Windows 10 | +Windows 11 | +
|---|---|---|
| Home | +No | +No | +
| Pro | +No | +No | +
| Business | +No | +No | +
| Enterprise | +Yes | +Yes | +
| Education | +Yes | +Yes | +
| Edition | +Windows 10 | +Windows 11 | + +
|---|---|---|
| Home | +No | +No | +
| Pro | +No | +No | +
| Business | +No | +No | +
| Enterprise | +Yes | +Yes | +
| Education | +Yes | +Yes | +
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Edition | +Windows 10 | +Windows 11 | +
|---|---|---|
| Home | +No | +No | +
| Pro | +No | +No | +
| Business | +No | +No | +
| Enterprise | +Yes | +Yes | +
| Education | +Yes | +Yes | +
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Edition | +Windows 10 | +Windows 11 | +
|---|---|---|
| Home | +No | +No | +
| Pro | +No | +No | +
| Business | +No | +No | +
| Enterprise | +Yes | +Yes | +
| Education | +Yes | +Yes | +
| Edition | +Windows 10 | +Windows 11 | +
|---|---|---|
| Home | +No | +No | +
| Pro | +No | +No | +
| Business | +No | +No | +
| Enterprise | +Yes | +Yes | +
| Education | +Yes | +Yes | +
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
-No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
-No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
-No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
-Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
-No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Edition | +Windows 10 | +Windows 11 | +
|---|---|---|
| Home | +No | +No | +
| Pro | +No | +No | +
| Business | +No | +No | +
| Enterprise | +Yes | +Yes | +
| Education | +Yes | +Yes | +
| Edition | +Windows 10 | +Windows 11 | +
|---|---|---|
| Home | +No | +No | +
| Pro | +No | +No | +
| Business | +No | +No | +
| Enterprise | +Yes | +Yes | +
| Education | +Yes | +Yes | +
| Edition | +Windows 10 | +Windows 11 | +
|---|---|---|
| Home | +No | +No | +
| Pro | +No | +No | +
| Business | +No | +No | +
| Enterprise | +Yes | +Yes | +
| Education | +Yes | +Yes | +
| Edition | +Windows 10 | +Windows 11 | +
|---|---|---|
| Home | +No | +No | +
| Pro | +No | +No | +
| Business | +No | +No | +
| Enterprise | +Yes | +Yes | +
| Education | +Yes | +Yes | +
| Edition | +Windows 10 | +Windows 11 | +
|---|---|---|
| Home | +No | +No | +
| Pro | +No | +No | +
| Business | +No | +No | +
| Enterprise | +Yes | +Yes | +
| Education | +Yes | +Yes | +
| Edition | +Windows 10 | +Windows 11 | +
|---|---|---|
| Home | +No | +No | +
| Pro | +No | +No | +
| Business | +No | +No | +
| Enterprise | +Yes | +Yes | +
| Education | +Yes | +Yes | +
| Edition | +Windows 10 | +Windows 11 | +
|---|---|---|
| Home | +No | +No | +
| Pro | +No | +No | +
| Business | +No | +No | +
| Enterprise | +Yes | +Yes | +
| Education | +Yes | +Yes | +
| Edition | +Windows 10 | +Windows 11 | + +
|---|---|---|
| Home | +No | +No | +
| Pro | +No | +No | +
| Business | +No | +No | +
| Enterprise | +Yes | +Yes | +
| Education | +Yes | +Yes | +
| Edition | +Windows 10 | +Windows 11 | +
|---|---|---|
| Home | +No | +No | +
| Pro | +No | +No | +
| Business | +No | +No | +
| Enterprise | +Yes | +Yes | +
| Education | +Yes | +Yes | +
| Edition | +Windows 10 | +Windows 11 | +
|---|---|---|
| Home | +No | +No | +
| Pro | +No | +No | +
| Business | +No | +No | +
| Enterprise | +Yes | +Yes | +
| Education | +Yes | +Yes | +
| Edition | +Windows 10 | +Windows 11 | +
|---|---|---|
| Home | +No | +No | +
| Pro | +No | +No | +
| Business | +No | +No | +
| Enterprise | +Yes | +Yes | +
| Education | +Yes | +Yes | +
| Edition | +Windows 10 | +Windows 11 | +
|---|---|---|
| Home | +No | +No | +
| Pro | +No | +No | +
| Business | +No | +No | +
| Enterprise | +Yes | +Yes | +
| Education | +Yes | +Yes | +
| Edition | +Windows 10 | +Windows 11 | +
|---|---|---|
| Home | +No | +No | +
| Pro | +No | +No | +
| Business | +No | +No | +
| Enterprise | +Yes | +Yes | +
| Education | +Yes | +Yes | +
| Edition | +Windows 10 | +Windows 11 | +
|---|---|---|
| Home | +No | +No | +
| Pro | +No | +No | +
| Business | +No | +No | +
| Enterprise | +Yes | +Yes | +
| Education | +Yes | +Yes | +
| Edition | +Windows 10 | +Windows 11 | +
|---|---|---|
| Home | +No | +No | +
| Pro | +No | +No | +
| Business | +No | +No | +
| Enterprise | +Yes | +Yes | +
| Education | +Yes | +Yes | +
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Edition | +Windows 10 | +Windows 11 | +
|---|---|---|
| Home | +No | +No | +
| Pro | +No | +No | +
| Business | +No | +No | +
| Enterprise | +Yes | +Yes | +
| Education | +Yes | +Yes | +
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Edition | +Windows 10 | +Windows 11 | +
|---|---|---|
| Home | +No | +No | +
| Pro | +No | +No | +
| Business | +No | +No | +
| Enterprise | +Yes | +Yes | +
| Education | +Yes | +Yes | +
| Edition | +Windows 10 | +Windows 11 | +
|---|---|---|
| Home | +No | +No | +
| Pro | +No | +No | +
| Business | +No | +No | +
| Enterprise | +Yes | +Yes | +
| Education | +Yes | +Yes | +
| Edition | +Windows 10 | +Windows 11 | +
|---|---|---|
| Home | +No | +No | +
| Pro | +No | +No | +
| Business | +No | +No | +
| Enterprise | +Yes | +Yes | +
| Education | +Yes | +Yes | +
| Edition | +Windows 10 | +Windows 11 | +
|---|---|---|
| Home | +No | +No | +
| Pro | +No | +No | +
| Business | +No | +No | +
| Enterprise | +Yes | +Yes | +
| Education | +Yes | +Yes | +
| Edition | +Windows 10 | +Windows 11 | +
|---|---|---|
| Home | +No | +No | +
| Pro | +No | +No | +
| Business | +No | +No | +
| Enterprise | +Yes | +Yes | +
| Education | +Yes | +Yes | +
| Edition | +Windows 10 | +Windows 11 | +
|---|---|---|
| Home | +No | +No | +
| Pro | +No | +No | +
| Business | +No | +No | +
| Enterprise | +Yes | +Yes | +
| Education | +Yes | +Yes | +
| Edition | +Windows 10 | +Windows 11 | +
|---|---|---|
| Home | +No | +No | +
| Pro | +No | +No | +
| Business | +No | +No | +
| Enterprise | +Yes | +Yes | +
| Education | +Yes | +Yes | +
88811555544444455Mobile |
-1,2,3,4 |
-Same as the value set |
+Mobile |
+1,2,3,4 |
+Same as the value set |
Desktop Local Accounts |
-1,2,3 |
-3 |
+Desktop Local Accounts |
+1,2,3 |
+3 |
Desktop Microsoft Accounts |
-1,2 |
-<p2 | +Desktop Microsoft Accounts |
+1,2 |
+<p2 |
Desktop Domain Accounts |
-Not supported |
-Not supported | +Desktop Domain Accounts |
+Not supported |
+Not supported |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | -5 |
+ Yes | +Yes | |
| Business | -5 |
+ Yes | +Yes | |
| Enterprise | -5 |
+ Yes | +Yes | |
| Education | -5 |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ Yes | +Yes | |
| Business | - |
+ Yes | +Yes | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ Yes | +Yes | |
| Business | - |
+ Yes | +Yes | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | -2 |
+ Yes | +Yes | |
| Business | - |
+ No | +No | |
| Enterprise | -2 |
+ Yes | +Yes | |
| Education | -2 |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ Yes | +Yes | |
| Business | - |
+ Yes | +Yes | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | -
|---|---|
| Home | - |
-
| Pro | - |
-
| Business | - |
-
| Enterprise | - |
-
| Education | - |
-
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ Yes | +Yes | |
| Business | - |
+ Yes | +Yes | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | -2 |
+ Yes | +Yes | |
| Business | - |
+ No | +No | |
| Enterprise | -2 |
+ Yes | +Yes | |
| Education | -2 |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | -1 |
+ Yes | +Yes | |
| Business | -1 |
+ Yes | +Yes | |
| Enterprise | -1 |
+ Yes | +Yes | |
| Education | -1 |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | -1 |
+ Yes | +Yes | |
| Education | -1 |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | -2 |
+ Yes | +Yes | |
| Education | -2 |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | -4 |
+ Yes | +Yes | |
| Education | -4 |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | -2 |
+ Yes | +Yes | |
| Education | -2 |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | - |
+ No | +Yes | |
| Education | - |
+ No | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | -1 |
+ Yes | +Yes | |
| Education | -1 |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | -9 |
+ Yes | +Yes | |
| Pro | -9 |
+ Yes | +Yes | |
| Business | -9 |
+ Yes | +Yes | |
| Enterprise | -9 |
+ Yes | +Yes | |
| Education | -9 |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | -1 |
+ Yes | +Yes | |
| Business | -1 |
+ Yes | +Yes | |
| Enterprise | -1 |
+ Yes | +Yes | |
| Education | -1 |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | -5 |
+ Yes | +Yes | |
| Education | -5 |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | - |
+ No | +No | |
| Enterprise | -5 |
+ Yes | +Yes | |
| Education | -5 |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ No | +No | |
| Business | -6 |
+ Yes | +Yes | |
| Enterprise | -6 |
+ Yes | +Yes | |
| Education | -6 |
+ Yes | +Yes |
| Edition | +Windows 10 | +Windows 11 | +
|---|---|---|
| Home | +No | +No | +
| Pro | +Yes | +No | +
| Business | +Yes | +No | +
| Enterprise | +Yes | +No | +
| Education | +Yes | +No | +
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ Yes | +Yes | |
| Business | - |
+ Yes | +Yes | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ Yes | +Yes | |
| Business | - |
+ Yes | +Yes | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Edition | +Windows 10 | +Windows 11 | +
|---|---|---|
| Home | +No | +No | +
| Pro | +Yes | +Yes | +
| Business | +Yes | +Yes | +
| Enterprise | +Yes | +Yes | +
| Education | +Yes | +Yes | +
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ Yes | +Yes | |
| Business | - |
+ Yes | +Yes | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ Yes | +Yes | |
| Business | - |
+ Yes | +Yes | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ Yes | +Yes | |
| Business | - |
+ Yes | +Yes | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | -5 |
+ Yes | +Yes | |
| Business | -5 |
+ Yes | +Yes | |
| Enterprise | -5 |
+ Yes | +Yes | |
| Education | -5 |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | -3 |
+ Yes | +Yes | |
| Business | -3 |
+ Yes | +Yes | |
| Enterprise | -3 |
+ Yes | +Yes | |
| Education | -3 |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | -3 |
+ Yes | +Yes | |
| Business | -3 |
+ Yes | +Yes | |
| Enterprise | -3 |
+ Yes | +Yes | |
| Education | -3 |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | -3 |
+ Yes | +Yes | |
| Business | -3 |
+ Yes | +Yes | |
| Enterprise | -3 |
+ Yes | +Yes | |
| Education | -3 |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | -3 |
+ Yes | +Yes | |
| Business | -3 |
+ Yes | +Yes | |
| Enterprise | -3 |
+ Yes | +Yes | |
| Education | -3 |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | -4 |
+ Yes | +Yes | |
| Business | -4 |
+ Yes | +Yes | |
| Enterprise | -4 |
+ Yes | +Yes | |
| Education | -4 |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | -4 |
+ Yes | +Yes | |
| Business | -4 |
+ Yes | +Yes | |
| Enterprise | -4 |
+ Yes | +Yes | |
| Education | -4 |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | -4 |
+ Yes | +Yes | |
| Business | -4 |
+ Yes | +Yes | |
| Enterprise | -4 |
+ Yes | +Yes | |
| Education | -4 |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | -4 |
+ Yes | +Yes | |
| Business | -4 |
+ Yes | +Yes | |
| Enterprise | -4 |
+ Yes | +Yes | |
| Education | -4 |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | -3 |
+ Yes | +Yes | |
| Business | -3 |
+ Yes | +Yes | |
| Enterprise | -3 |
+ Yes | +Yes | |
| Education | -3 |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | -3 |
+ Yes | +Yes | |
| Business | -3 |
+ Yes | +Yes | |
| Enterprise | -3 |
+ Yes | +Yes | |
| Education | -3 |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | -3 |
+ Yes | +Yes | |
| Business | -3 |
+ Yes | +Yes | |
| Enterprise | -3 |
+ Yes | +Yes | |
| Education | -3 |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | -3 |
+ Yes | +Yes | |
| Business | -3 |
+ Yes | +Yes | |
| Enterprise | -3 |
+ Yes | +Yes | |
| Education | -3 |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | -3 |
+ Yes | +Yes | |
| Business | -3 |
+ Yes | +Yes | |
| Enterprise | -3 |
+ Yes | +Yes | |
| Education | -3 |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | -3 |
+ Yes | +Yes | |
| Business | -3 |
+ Yes | +Yes | |
| Enterprise | -3 |
+ Yes | +Yes | |
| Education | -3 |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | -3 |
+ Yes | +Yes | |
| Business | -3 |
+ Yes | +Yes | |
| Enterprise | -3 |
+ Yes | +Yes | |
| Education | -3 |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | -4 |
+ Yes | +Yes | |
| Business | -4 |
+ Yes | +Yes | |
| Enterprise | -4 |
+ Yes | +Yes | |
| Education | -4 |
+ Yes | +Yes |
| Edition | +Windows 10 | +Windows 11 | +
|---|---|---|
| Home | +No | +No | +
| Pro | +Yes | +Yes | +
| Business | +Yes | +Yes | +
| Enterprise | +Yes | +Yes | +
| Education | +Yes | +Yes | +
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | -4 |
+ Yes | +Yes | |
| Business | -4 |
+ Yes | +Yes | |
| Enterprise | -4 |
+ Yes | +Yes | |
| Education | -4 |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | -4 |
+ Yes | +Yes | |
| Business | -4 |
+ Yes | +Yes | |
| Enterprise | -4 |
+ Yes | +Yes | |
| Education | -4 |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | - |
+ Yes | +Yes | |
| Business | - |
+ Yes | +Yes | |
| Enterprise | - |
+ Yes | +Yes | |
| Education | - |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | -4 |
+ Yes | +Yes | |
| Business | -4 |
+ Yes | +Yes | |
| Enterprise | -4 |
+ Yes | +Yes | |
| Education | -4 |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | -4 |
+ Yes | +Yes | |
| Business | -4 |
+ Yes | +Yes | |
| Enterprise | -4 |
+ Yes | +Yes | |
| Education | -4 |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | -4 |
+ Yes | +Yes | |
| Business | -4 |
+ Yes | +Yes | |
| Enterprise | -4 |
+ Yes | +Yes | |
| Education | -4 |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | -4 |
+ Yes | +Yes | |
| Business | -4 |
+ Yes | +Yes | |
| Enterprise | -4 |
+ Yes | +Yes | |
| Education | -4 |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | -4 |
+ Yes | +Yes | |
| Business | -4 |
+ Yes | +Yes | |
| Enterprise | -4 |
+ Yes | +Yes | |
| Education | -4 |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | -4 |
+ Yes | +Yes | |
| Business | -4 |
+ Yes | +Yes | |
| Enterprise | -4 |
+ Yes | +Yes | |
| Education | -4 |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | -3 |
+ Yes | +Yes | |
| Business | -3 |
+ Yes | +Yes | |
| Enterprise | -3 |
+ Yes | +Yes | |
| Education | -3 |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | -3 |
+ Yes | +Yes | |
| Business | -3 |
+ Yes | +Yes | |
| Enterprise | -3 |
+ Yes | +Yes | |
| Education | -3 |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | -4 |
+ Yes | +Yes | |
| Business | -4 |
+ Yes | +Yes | |
| Enterprise | -4 |
+ Yes | +Yes | |
| Education | -4 |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | -4 |
+ Yes | +Yes | |
| Business | -4 |
+ Yes | +Yes | |
| Enterprise | -4 |
+ Yes | +Yes | |
| Education | -4 |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | -4 |
+ Yes | +Yes | |
| Business | -4 |
+ Yes | +Yes | |
| Enterprise | -4 |
+ Yes | +Yes | |
| Education | -4 |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | -4 |
+ Yes | +Yes | |
| Business | -4 |
+ Yes | +Yes | |
| Enterprise | -4 |
+ Yes | +Yes | |
| Education | -4 |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | -4 |
+ Yes | +Yes | |
| Business | -4 |
+ Yes | +Yes | |
| Enterprise | -4 |
+ Yes | +Yes | |
| Education | -4 |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | -4 |
+ Yes | +Yes | |
| Business | -4 |
+ Yes | +Yes | |
| Enterprise | -4 |
+ Yes | +Yes | |
| Education | -4 |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | -4 |
+ Yes | +Yes | |
| Business | -4 |
+ Yes | +Yes | |
| Enterprise | -4 |
+ Yes | +Yes | |
| Education | -4 |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | -4 |
+ Yes | +Yes | |
| Business | -4 |
+ Yes | +Yes | |
| Enterprise | -4 |
+ Yes | +Yes | |
| Education | -4 |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | -3 |
+ Yes | +Yes | |
| Business | -3 |
+ Yes | +Yes | |
| Enterprise | -3 |
+ Yes | +Yes | |
| Education | -3 |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | -4 |
+ Yes | +Yes | |
| Business | -4 |
+ Yes | +Yes | |
| Enterprise | -4 |
+ Yes | +Yes | |
| Education | -4 |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | -3 |
+ Yes | +Yes | |
| Business | -3 |
+ Yes | +Yes | |
| Enterprise | -3 |
+ Yes | +Yes | |
| Education | -3 |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | -3 |
+ Yes | +Yes | |
| Business | -3 |
+ Yes | +Yes | |
| Enterprise | -3 |
+ Yes | +Yes | |
| Education | -3 |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | -3 |
+ Yes | +Yes | |
| Business | -3 |
+ Yes | +Yes | |
| Enterprise | -3 |
+ Yes | +Yes | |
| Education | -3 |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | -4 |
+ Yes | +Yes | |
| Business | -4 |
+ Yes | +Yes | |
| Enterprise | -4 |
+ Yes | +Yes | |
| Education | -4 |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | -3 |
+ Yes | +Yes | |
| Business | -3 |
+ Yes | +Yes | |
| Enterprise | -3 |
+ Yes | +Yes | |
| Education | -3 |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | -3 |
+ Yes | +Yes | |
| Business | -3 |
+ Yes | +Yes | |
| Enterprise | -3 |
+ Yes | +Yes | |
| Education | -3 |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | -3 |
+ Yes | +Yes | |
| Business | -3 |
+ Yes | +Yes | |
| Enterprise | -3 |
+ Yes | +Yes | |
| Education | -3 |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | -3 |
+ Yes | +Yes | |
| Business | -3 |
+ Yes | +Yes | |
| Enterprise | -3 |
+ Yes | +Yes | |
| Education | -3 |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | -4 |
+ Yes | +Yes | |
| Business | -4 |
+ Yes | +Yes | |
| Enterprise | -4 |
+ Yes | +Yes | |
| Education | -4 |
+ Yes | +Yes |
| Windows Edition | -Supported? | +Edition | +Windows 10 | +Windows 11 |
|---|---|---|---|---|
| Home | - |
+ No | +No | |
| Pro | -3 |
+ Yes | +Yes | |
| Business | -3 |
+ Yes | +Yes | |
| Enterprise | -3 |
+ Yes | +Yes | |
| Education | -3 |
+ Yes | +Yes |
| Edition | +Windows 10 | +Windows 11 | +
|---|---|---|
| Home | +No | +No | +
| Pro | +Yes | +Yes | +
| Business | +Yes | +Yes | +
| Enterprise | +Yes | +Yes | +
| Education | +Yes | +Yes | +
The root node for the Reboot configuration service provider.
+The root node for the Reboot configuration service provider.
-The supported operation is Get.
+The supported operation is Get.
**RebootNow** -This node executes a reboot of the device. RebootNow triggers a reboot within 5 minutes to allow the user to wrap up any active work.
+This node executes a reboot of the device. RebootNow triggers a reboot within 5 minutes to allow the user to wrap up any active work.
> [!NOTE] > If this node is set to execute during a sync session, the device will reboot at the end of the sync session. -The supported operations are Execute and Get.
+The supported operations are Execute and Get.
**Schedule** -The supported operation is Get.
+The supported operation is Get.
**Schedule/Single** -This node will execute a reboot at a scheduled date and time. The date and time value is **ISO 8601**, and both the date and time are required. +
This node will execute a reboot at a scheduled date and time. The date and time value is **ISO 8601**, and both the date and time are required. Example to configure: 2018-10-25T18:00:00
Setting a null (empty) date will delete the existing schedule. In accordance with the ISO 8601 format, the date and time representation needs to be 0000-00-00T00:00:00. -The supported operations are Get, Add, Replace, and Delete.
+The supported operations are Get, Add, Replace, and Delete.
-The supported data type is "String".
+The supported data type is "String".
**Schedule/DailyRecurrent** -This node will execute a reboot each day at a scheduled time starting at the configured starting time and date. Setting a null (empty) date will delete the existing schedule. The date and time value is ISO8601, and both the date and time are required. The CSP will return the date time in the following format: 2018-06-29T10:00:00+01:00. +
This node will execute a reboot each day at a scheduled time starting at the configured starting time and date. Setting a null (empty) date will delete the existing schedule. The date and time value is ISO8601, and both the date and time are required. The CSP will return the date time in the following format: 2018-06-29T10:00:00+01:00. Example to configure: 2018-10-25T18:00:00
-The supported operations are Get, Add, Replace, and Delete.
+The supported operations are Get, Add, Replace, and Delete.
-The supported data type is "String".
+The supported data type is "String".
## Related topics diff --git a/windows/client-management/mdm/remotelock-csp.md b/windows/client-management/mdm/remotelock-csp.md index dde2e01cd2..47ee3981e4 100644 --- a/windows/client-management/mdm/remotelock-csp.md +++ b/windows/client-management/mdm/remotelock-csp.md @@ -21,7 +21,7 @@ The RemoteLock CSP supports the ability to lock a device that has a PIN set on t > The RemoteLock CSP is only supported in Windows 10 Mobile. **./Vendor/MSFT/RemoteLock** -Defines the root node for the RemoteLock configuration service provider.
+Defines the root node for the RemoteLock configuration service provider.
**Lock** Required. The setting accepts requests to lock the device screen. The device screen will lock immediately if a PIN has been set. If no PIN is set, the lock request is ignored and the OMA DM (405) Forbidden error is returned over the management channel. All OMA DM errors are listed [here](https://go.microsoft.com/fwlink/p/?LinkId=522607) in the protocol specification. The supported operations are Get and Exec. diff --git a/windows/client-management/mdm/surfacehub-csp.md b/windows/client-management/mdm/surfacehub-csp.md index 7c0a2bd53f..ad67b668bb 100644 --- a/windows/client-management/mdm/surfacehub-csp.md +++ b/windows/client-management/mdm/surfacehub-csp.md @@ -72,12 +72,12 @@ SurfaceHub --------WorkspaceKey ``` **./Vendor/MSFT/SurfaceHub** -The root node for the Surface Hub configuration service provider. +
The root node for the Surface Hub configuration service provider. **DeviceAccount** -
Node for setting device account information. A device account is a Microsoft Exchange account that is connected with Skype for Business, which allows people to join scheduled meetings, make Skype for Business calls, and share content from the device. See the Surface Hub administrator guide for more information about setting up a device account. +
Node for setting device account information. A device account is a Microsoft Exchange account that is connected with Skype for Business, which allows people to join scheduled meetings, make Skype for Business calls, and share content from the device. See the Surface Hub administrator guide for more information about setting up a device account. -
To use a device account from Azure Active Directory +
To use a device account from Azure Active Directory 1. Set the UserPrincipalName (for Azure AD). 2. Set a valid Password. @@ -88,7 +88,7 @@ SurfaceHub > If the device cannot auto-discover the Exchange server and Session Initiation Protocol (SIP) address from this information, you should specify the ExchangeServer and SipAddress. -
Here's a SyncML example. +
Here's a SyncML example.
```xml
To use a device account from Active Directory +
To use a device account from Active Directory 1. Set the DomainName. 2. Set the UserName. @@ -146,69 +146,69 @@ SurfaceHub 4. Execute the ValidateAndCommit node. **DeviceAccount/DomainName** -
Domain of the device account when you are using Active Directory. To use a device account from Active Directory, you should specify both DomainName and UserName for the device account. +
Domain of the device account when you are using Active Directory. To use a device account from Active Directory, you should specify both DomainName and UserName for the device account. -
The data type is string. Supported operation is Get and Replace. +
The data type is string. Supported operation is Get and Replace. **DeviceAccount/UserName** -
Username of the device account when you are using Active Directory. To use a device account from Active Directory, you should specify both DomainName and UserName for the device account. +
Username of the device account when you are using Active Directory. To use a device account from Active Directory, you should specify both DomainName and UserName for the device account. -
The data type is string. Supported operation is Get and Replace. +
The data type is string. Supported operation is Get and Replace. **DeviceAccount/UserPrincipalName** -
User principal name (UPN) of the device account. To use a device account from Azure Active Directory or a hybrid deployment, you should specify the UPN of the device account. +
User principal name (UPN) of the device account. To use a device account from Azure Active Directory or a hybrid deployment, you should specify the UPN of the device account. -
The data type is string. Supported operation is Get and Replace. +
The data type is string. Supported operation is Get and Replace. **DeviceAccount/SipAddress** -
Session Initiation Protocol (SIP) address of the device account. Normally, the device will try to auto-discover the SIP. This field is only required if auto-discovery fails. +
Session Initiation Protocol (SIP) address of the device account. Normally, the device will try to auto-discover the SIP. This field is only required if auto-discovery fails. -
The data type is string. Supported operation is Get and Replace. +
The data type is string. Supported operation is Get and Replace. **DeviceAccount/Password** -
Password for the device account. +
Password for the device account. -
The data type is string. Supported operation is Get and Replace. The operation Get is allowed, but it will always return a blank. +
The data type is string. Supported operation is Get and Replace. The operation Get is allowed, but it will always return a blank. **DeviceAccount/ValidateAndCommit** -
This method validates the data provided and then commits the changes. +
This method validates the data provided and then commits the changes. -
The data type is string. Supported operation is Execute. +
The data type is string. Supported operation is Execute. **DeviceAccount/Email** -
Email address of the device account. +
Email address of the device account. -
The data type is string. +
The data type is string. **DeviceAccount/PasswordRotationEnabled** -
Specifies whether automatic password rotation is enabled. If you enforce a password expiration policy on the device account, use this setting to allow the device to manage its own password by changing it frequently, without requiring you to manually update the account information when the password expires. You can reset the password at any time using Active Directory (or Azure AD). +
Specifies whether automatic password rotation is enabled. If you enforce a password expiration policy on the device account, use this setting to allow the device to manage its own password by changing it frequently, without requiring you to manually update the account information when the password expires. You can reset the password at any time using Active Directory (or Azure AD). -
Valid values: +
Valid values: - 0 - password rotation enabled - 1 - disabled -
The data type is integer. Supported operation is Get and Replace. +
The data type is integer. Supported operation is Get and Replace. **DeviceAccount/ExchangeServer** -
Exchange server of the device account. Normally, the device will try to auto-discover the Exchange server. This field is only required if auto-discovery fails. +
Exchange server of the device account. Normally, the device will try to auto-discover the Exchange server. This field is only required if auto-discovery fails. -
The data type is string. Supported operation is Get and Replace. +
The data type is string. Supported operation is Get and Replace. **DeviceAccount/ExchangeModernAuthEnabled** -
Added in KB4598291 for Windows 10, version 20H2. Specifies whether Device Account calendar sync will attempt to use token-based Modern Authentication to connect to the Exchange Server. Default value is True. +
Added in KB4598291 for Windows 10, version 20H2. Specifies whether Device Account calendar sync will attempt to use token-based Modern Authentication to connect to the Exchange Server. Default value is True. -
The data type is boolean. Supported operation is Get and Replace. +
The data type is boolean. Supported operation is Get and Replace. **DeviceAccount/CalendarSyncEnabled** -
Specifies whether calendar sync and other Exchange server services is enabled. +
Specifies whether calendar sync and other Exchange server services is enabled. -
The data type is boolean. Supported operation is Get and Replace. +
The data type is boolean. Supported operation is Get and Replace. **DeviceAccount/ErrorContext** -
If there is an error calling ValidateAndCommit, there is additional context for that error in this node. Here are the possible error values: +
If there is an error calling ValidateAndCommit, there is additional context for that error in this node. Here are the possible error values: -
The data type is integer. Supported operation is Get. +
The data type is integer. Supported operation is Get. **MaintenanceHoursSimple/Hours** -
Node for maintenance schedule. +
Node for maintenance schedule. **MaintenanceHoursSimple/Hours/StartTime** -
Specifies the start time for maintenance hours in minutes from midnight. For example, to set a 2:00 am start time, set this value to 120. +
Specifies the start time for maintenance hours in minutes from midnight. For example, to set a 2:00 am start time, set this value to 120. -
The data type is integer. Supported operation is Get and Replace. +
The data type is integer. Supported operation is Get and Replace. **MaintenanceHoursSimple/Hours/Duration** -
Specifies the duration of maintenance window in minutes. For example, to set a 3-hour duration, set this value to 180. +
Specifies the duration of maintenance window in minutes. For example, to set a 3-hour duration, set this value to 180. -
The data type is integer. Supported operation is Get and Replace. +
The data type is integer. Supported operation is Get and Replace. **InBoxApps** -
Node for the in-box app settings. +
Node for the in-box app settings. **InBoxApps/SkypeForBusiness** -
Added in Windows 10, version 1703. Node for the Skype for Business settings. +
Added in Windows 10, version 1703. Node for the Skype for Business settings. **InBoxApps/SkypeForBusiness/DomainName** -
Added in Windows 10, version 1703. Specifies the domain of the Skype for Business account when you are using Active Directory. For more information, see Set up Skype for Business Online. +
Added in Windows 10, version 1703. Specifies the domain of the Skype for Business account when you are using Active Directory. For more information, see Set up Skype for Business Online. -
The data type is string. Supported operation is Get and Replace. +
The data type is string. Supported operation is Get and Replace. **InBoxApps/Welcome** -
Node for the welcome screen. +
Node for the welcome screen. **InBoxApps/Welcome/AutoWakeScreen** -
Automatically turn on the screen using motion sensors. +
Automatically turn on the screen using motion sensors. -
The data type is boolean. Supported operation is Get and Replace. +
The data type is boolean. Supported operation is Get and Replace. **InBoxApps/Welcome/CurrentBackgroundPath** -
Download location for image to be used as the background during user sessions and on the welcome screen. To set this, specify an https URL to a PNG file (only PNGs are supported for security reasons). If any certificate authorities need to be trusted in order to access the URL, please ensure they are valid and installed on the Hub, otherwise it may not be able to load the image. +
Download location for image to be used as the background during user sessions and on the welcome screen. To set this, specify an https URL to a PNG file (only PNGs are supported for security reasons). If any certificate authorities need to be trusted in order to access the URL, please ensure they are valid and installed on the Hub, otherwise it may not be able to load the image. -
The data type is string. Supported operation is Get and Replace. +
The data type is string. Supported operation is Get and Replace. **InBoxApps/Welcome/MeetingInfoOption** -
Meeting information displayed on the welcome screen. +
Meeting information displayed on the welcome screen. -
Valid values: +
Valid values: - 0 - Organizer and time only - 1 - Organizer, time, and subject. Subject is hidden in private meetings. -
The data type is integer. Supported operation is Get and Replace. +
The data type is integer. Supported operation is Get and Replace. **InBoxApps/Whiteboard** -
Node for the Whiteboard app settings. +
Node for the Whiteboard app settings. **InBoxApps/Whiteboard/SharingDisabled** -
Invitations to collaborate from the Whiteboard app are not allowed. +
Invitations to collaborate from the Whiteboard app are not allowed. -
The data type is boolean. Supported operation is Get and Replace. +
The data type is boolean. Supported operation is Get and Replace. **InBoxApps/Whiteboard/SigninDisabled** -
Sign-ins from the Whiteboard app are not allowed. +
Sign-ins from the Whiteboard app are not allowed. -
The data type is boolean. Supported operation is Get and Replace. +
The data type is boolean. Supported operation is Get and Replace. **InBoxApps/Whiteboard/TelemeteryDisabled** -
Telemetry collection from the Whiteboard app is not allowed. +
Telemetry collection from the Whiteboard app is not allowed. -
The data type is boolean. Supported operation is Get and Replace. +
The data type is boolean. Supported operation is Get and Replace. **InBoxApps/WirelessProjection** -
Node for the wireless projector app settings. +
Node for the wireless projector app settings. **InBoxApps/WirelessProjection/PINRequired** -
Users must enter a PIN to wirelessly project to the device. +
Users must enter a PIN to wirelessly project to the device. -
The data type is boolean. Supported operation is Get and Replace. +
The data type is boolean. Supported operation is Get and Replace. **InBoxApps/WirelessProjection/Enabled** -
Enables wireless projection to the device. +
Enables wireless projection to the device. -
The data type is boolean. Supported operation is Get and Replace. +
The data type is boolean. Supported operation is Get and Replace. **InBoxApps/WirelessProjection/Channel** -
Wireless channel to use for Miracast operation. The supported channels are defined by the Wi-Fi Alliance Wi-Fi Direct specification. +
Wireless channel to use for Miracast operation. The supported channels are defined by the Wi-Fi Alliance Wi-Fi Direct specification. -
The default value is 255. Outside of regulatory concerns, if the channel is configured incorrectly the driver will either not boot, or will broadcast on the wrong channel (which senders won't be looking for). +
The default value is 255. Outside of regulatory concerns, if the channel is configured incorrectly the driver will either not boot, or will broadcast on the wrong channel (which senders won't be looking for). -
The data type is integer. Supported operation is Get and Replace. +
The data type is integer. Supported operation is Get and Replace. **InBoxApps/Connect** -
Added in Windows 10, version 1703. Node for the Connect app. +
Added in Windows 10, version 1703. Node for the Connect app. **InBoxApps/Connect/AutoLaunch** -
Added in Windows 10, version 1703. Specifies whether to automatically launch the Connect app whenever a projection is initiated. +
Added in Windows 10, version 1703. Specifies whether to automatically launch the Connect app whenever a projection is initiated. -
If this setting is true, the Connect app will be automatically launched. If false, the user will need to launch the Connect app manually from the Hub’s settings. +
If this setting is true, the Connect app will be automatically launched. If false, the user will need to launch the Connect app manually from the Hub’s settings. -
The data type is boolean. Supported operation is Get and Replace. +
The data type is boolean. Supported operation is Get and Replace. **Properties** -
Node for the device properties. +
Node for the device properties. **Properties/FriendlyName** -
Friendly name of the device. Specifies the name that users see when they want to wirelessly project to the device. +
Friendly name of the device. Specifies the name that users see when they want to wirelessly project to the device. -
The data type is string. Supported operation is Get and Replace. +
The data type is string. Supported operation is Get and Replace. **Properties/DefaultVolume** -
Added in Windows 10, version 1703. Specifies the default volume value for a new session. Permitted values are 0-100. The default is 45. +
Added in Windows 10, version 1703. Specifies the default volume value for a new session. Permitted values are 0-100. The default is 45. -
The data type is integer. Supported operation is Get and Replace. +
The data type is integer. Supported operation is Get and Replace. **Properties/ScreenTimeout** -
Added in Windows 10, version 1703. Specifies the number of minutes until the Hub screen turns off. +
Added in Windows 10, version 1703. Specifies the number of minutes until the Hub screen turns off. -
The following table shows the permitted values. +
The following table shows the permitted values. -
| Value | @@ -442,14 +442,14 @@ SurfaceHub
|---|
The data type is integer. Supported operation is Get and Replace. +
The data type is integer. Supported operation is Get and Replace. **Properties/SessionTimeout** -
Added in Windows 10, version 1703. Specifies the number of minutes until the session times out. +
Added in Windows 10, version 1703. Specifies the number of minutes until the session times out. -
The following table shows the permitted values. +
The following table shows the permitted values. -
| Value | @@ -494,14 +494,14 @@ SurfaceHub
|---|
The data type is integer. Supported operation is Get and Replace. +
The data type is integer. Supported operation is Get and Replace. **Properties/SleepTimeout** -
Added in Windows 10, version 1703. Specifies the number of minutes until the Hub enters sleep mode. +
Added in Windows 10, version 1703. Specifies the number of minutes until the Hub enters sleep mode. -
The following table shows the permitted values. +
The following table shows the permitted values. -
| Value | @@ -546,61 +546,61 @@ SurfaceHub
|---|
The data type is integer. Supported operation is Get and Replace. +
The data type is integer. Supported operation is Get and Replace. **Properties/SleepMode** -
Added in Windows 10, version 20H2. Specifies the type of sleep mode for the Surface Hub. +
Added in Windows 10, version 20H2. Specifies the type of sleep mode for the Surface Hub. -
Valid values: +
Valid values: - 0 - Connected Standby (default) - 1 - Hibernate -
The data type is integer. Supported operation is Get and Replace. +
The data type is integer. Supported operation is Get and Replace. **Properties/AllowSessionResume** -
Added in Windows 10, version 1703. Specifies whether to allow the ability to resume a session when the session times out. +
Added in Windows 10, version 1703. Specifies whether to allow the ability to resume a session when the session times out. -
If this setting is true, the "Resume Session" feature will be available on the welcome screen when the screen is idle. If false, once the screen idles, the session will be automatically cleaned up as if the “End Session" feature was initiated. +
If this setting is true, the "Resume Session" feature will be available on the welcome screen when the screen is idle. If false, once the screen idles, the session will be automatically cleaned up as if the “End Session" feature was initiated. -
The data type is boolean. Supported operation is Get and Replace. +
The data type is boolean. Supported operation is Get and Replace. **Properties/AllowAutoProxyAuth** -
Added in Windows 10, version 1703. Specifies whether to use the device account for proxy authentication. +
Added in Windows 10, version 1703. Specifies whether to use the device account for proxy authentication. -
If this setting is true, the device account will be used for proxy authentication. If false, a separate account will be used. +
If this setting is true, the device account will be used for proxy authentication. If false, a separate account will be used. -
The data type is boolean. Supported operation is Get and Replace. +
The data type is boolean. Supported operation is Get and Replace. **Properties/ProxyServers** -
Added in KB4499162 for Windows 10, version 1703. Specifies FQDNs of proxy servers to provide device account credentials to before any user interaction (if AllowAutoProxyAuth is enabled). This is a semi-colon separated list of server names, without any additional prefixes (e.g. https://). +
Added in KB4499162 for Windows 10, version 1703. Specifies FQDNs of proxy servers to provide device account credentials to before any user interaction (if AllowAutoProxyAuth is enabled). This is a semi-colon separated list of server names, without any additional prefixes (e.g. https://). -
The data type is string. Supported operation is Get and Replace. +
The data type is string. Supported operation is Get and Replace. **Properties/DisableSigninSuggestions** -
Added in Windows 10, version 1703. Specifies whether to disable auto-populating of the sign-in dialog with invitees from scheduled meetings. +
Added in Windows 10, version 1703. Specifies whether to disable auto-populating of the sign-in dialog with invitees from scheduled meetings. -
If this setting is true, the sign-in dialog will not be populated. If false, the dialog will auto-populate. +
If this setting is true, the sign-in dialog will not be populated. If false, the dialog will auto-populate. -
The data type is boolean. Supported operation is Get and Replace. +
The data type is boolean. Supported operation is Get and Replace. **Properties/DoNotShowMyMeetingsAndFiles** -
Added in Windows 10, version 1703. Specifies whether to disable the "My meetings and files" feature in the Start menu, which shows the signed-in user's meetings and files from Office 365. +
Added in Windows 10, version 1703. Specifies whether to disable the "My meetings and files" feature in the Start menu, which shows the signed-in user's meetings and files from Office 365. -
If this setting is true, the “My meetings and files” feature will not be shown. When false, the “My meetings and files” feature will be shown. +
If this setting is true, the “My meetings and files” feature will not be shown. When false, the “My meetings and files” feature will be shown. -
The data type is boolean. Supported operation is Get and Replace. +
The data type is boolean. Supported operation is Get and Replace. **MOMAgent** -
Node for the Microsoft Operations Management Suite. +
Node for the Microsoft Operations Management Suite. **MOMAgent/WorkspaceID** -
GUID identifying the Microsoft Operations Management Suite workspace ID to collect the data. Set this to an empty string to disable the MOM agent. +
GUID identifying the Microsoft Operations Management Suite workspace ID to collect the data. Set this to an empty string to disable the MOM agent. -
The data type is string. Supported operation is Get and Replace. +
The data type is string. Supported operation is Get and Replace. **MOMAgent/WorkspaceKey** -
Primary key for authenticating with the workspace. +
Primary key for authenticating with the workspace. -
The data type is string. Supported operation is Get and Replace. The Get operation is allowed, but it will always return an empty string. +
The data type is string. Supported operation is Get and Replace. The Get operation is allowed, but it will always return an empty string. diff --git a/windows/client-management/mdm/toc.yml b/windows/client-management/mdm/toc.yml index 1d385366fb..47f9696b3a 100644 --- a/windows/client-management/mdm/toc.yml +++ b/windows/client-management/mdm/toc.yml @@ -23,9 +23,9 @@ items: href: certificate-authentication-device-enrollment.md - name: On-premises authentication device enrollment href: on-premise-authentication-device-enrollment.md - - name: Understanding ADMX-backed policies + - name: Understanding ADMX policies href: understanding-admx-backed-policies.md - - name: Enable ADMX-backed policies in MDM + - name: Enable ADMX policies in MDM href: enable-admx-backed-policies-in-mdm.md - name: Win32 and Desktop Bridge app policy configuration href: win32-and-centennial-app-policy-configuration.md @@ -381,7 +381,7 @@ items: href: policy-ddf-file.md - name: Policies in Policy CSP supported by Group Policy href: policies-in-policy-csp-supported-by-group-policy.md - - name: ADMX-backed policies in Policy CSP + - name: ADMX policies in Policy CSP href: policies-in-policy-csp-admx-backed.md - name: Policies in Policy CSP supported by HoloLens 2 href: policies-in-policy-csp-supported-by-hololens2.md @@ -439,12 +439,20 @@ items: href: policy-csp-admx-ctrlaltdel.md - name: ADMX_DataCollection href: policy-csp-admx-datacollection.md + - name: ADMX_DCOM + href: policy-csp-admx-dcom.md - name: ADMX_Desktop href: policy-csp-admx-desktop.md + - name: ADMX_DeviceCompat + href: policy-csp-admx-devicecompat.md + - name: ADMX_DeviceGuard + href: policy-csp-admx-deviceguard.md - name: ADMX_DeviceInstallation href: policy-csp-admx-deviceinstallation.md - name: ADMX_DeviceSetup href: policy-csp-admx-devicesetup.md + - name: ADMX_DFS + href: policy-csp-admx-dfs.md - name: ADMX_DigitalLocker href: policy-csp-admx-digitallocker.md - name: ADMX_DistributedLinkTracking @@ -457,6 +465,8 @@ items: href: policy-csp-admx-eaime.md - name: ADMX_EncryptFilesonMove href: policy-csp-admx-encryptfilesonmove.md + - name: ADMX_EventLogging + href: policy-csp-admx-eventlogging.md - name: ADMX_EnhancedStorage href: policy-csp-admx-enhancedstorage.md - name: ADMX_ErrorReporting @@ -465,16 +475,26 @@ items: href: policy-csp-admx-eventforwarding.md - name: ADMX_EventLog href: policy-csp-admx-eventlog.md + - name: ADMX_EventViewer + href: policy-csp-admx-eventviewer.md - name: ADMX_Explorer href: policy-csp-admx-explorer.md + - name: ADMX_ExternalBoot + href: policy-csp-admx-externalboot.md - name: ADMX_FileRecovery href: policy-csp-admx-filerecovery.md + - name: ADMX_FileRevocation + href: policy-csp-admx-filerevocation.md - name: ADMX_FileServerVSSProvider href: policy-csp-admx-fileservervssprovider.md - name: ADMX_FileSys href: policy-csp-admx-filesys.md - name: ADMX_FolderRedirection href: policy-csp-admx-folderredirection.md + - name: ADMX_FramePanes + href: policy-csp-admx-framepanes.md + - name: ADMX_FTHSVC + href: policy-csp-admx-fthsvc.md - name: ADMX_Globalization href: policy-csp-admx-globalization.md - name: ADMX_GroupPolicy @@ -485,6 +505,8 @@ items: href: policy-csp-admx-helpandsupport.md - name: ADMX_ICM href: policy-csp-admx-icm.md + - name: ADMX_IIS + href: policy-csp-admx-iis.md - name: ADMX_kdc href: policy-csp-admx-kdc.md - name: ADMX_Kerberos @@ -493,8 +515,12 @@ items: href: policy-csp-admx-lanmanserver.md - name: ADMX_LanmanWorkstation href: policy-csp-admx-lanmanworkstation.md + - name: ADMX_LeakDiagnostic + href: policy-csp-admx-leakdiagnostic.md - name: ADMX_LinkLayerTopologyDiscovery href: policy-csp-admx-linklayertopologydiscovery.md + - name: ADMX_LocationProviderAdm + href: policy-csp-admx-locationprovideradm.md - name: ADMX_Logon href: policy-csp-admx-logon.md - name: ADMX_MicrosoftDefenderAntivirus @@ -535,6 +561,8 @@ items: href: policy-csp-admx-printing2.md - name: ADMX_Programs href: policy-csp-admx-programs.md + - name: ADMX_Radar + href: policy-csp-admx-radar.md - name: ADMX_Reliability href: policy-csp-admx-reliability.md - name: ADMX_RemoteAssistance @@ -547,10 +575,14 @@ items: href: policy-csp-admx-scripts.md - name: ADMX_sdiageng href: policy-csp-admx-sdiageng.md + - name: ADMX_sdiagschd + href: policy-csp-admx-sdiagschd.md - name: ADMX_Securitycenter href: policy-csp-admx-securitycenter.md - name: ADMX_Sensors href: policy-csp-admx-sensors.md + - name: ADMX_ServerManager + href: policy-csp-admx-servermanager.md - name: ADMX_Servicing href: policy-csp-admx-servicing.md - name: ADMX_SettingSync @@ -567,6 +599,8 @@ items: href: policy-csp-admx-smartcard.md - name: ADMX_Snmp href: policy-csp-admx-snmp.md + - name: ADMX_SoundRec + href: policy-csp-admx-soundrec.md - name: ADMX_StartMenu href: policy-csp-admx-startmenu.md - name: ADMX_SystemRestore @@ -689,6 +723,8 @@ items: href: policy-csp-experience.md - name: ExploitGuard href: policy-csp-exploitguard.md + - name: Feeds + href: policy-csp-feeds.md - name: FileExplorer href: policy-csp-fileexplorer.md - name: Games diff --git a/windows/client-management/mdm/tpmpolicy-csp.md b/windows/client-management/mdm/tpmpolicy-csp.md index 863fa75311..93e9c4a508 100644 --- a/windows/client-management/mdm/tpmpolicy-csp.md +++ b/windows/client-management/mdm/tpmpolicy-csp.md @@ -25,10 +25,10 @@ TPMPolicy ----IsActiveZeroExhaust ``` **./Device/Vendor/MSFT/TPMPolicy** -
Defines the root node.
+Defines the root node.
**IsActiveZeroExhaust** -Boolean value that indicates whether network traffic from the device to public IP addresses is not allowed unless directly intended by the user (zero exhaust). Default value is false. Some examples when zero exhaust is configured:
+Boolean value that indicates whether network traffic from the device to public IP addresses is not allowed unless directly intended by the user (zero exhaust). Default value is false. Some examples when zero exhaust is configured:
The root node. +
The root node. -
Supported operation is Get. +
Supported operation is Get. **ApprovedUpdates** -
Node for update approvals and EULA acceptance on behalf of the end-user. +
Node for update approvals and EULA acceptance on behalf of the end-user. > [!NOTE] > When the RequireUpdateApproval policy is set, the MDM uses the ApprovedUpdates list to pass the approved GUIDs. These GUIDs should be a subset of the InstallableUpdates list. -
The MDM must first present the EULA to IT and have them accept it before the update is approved. Failure to do this is a breach of legal or contractual obligations. The EULAs can be obtained from the update metadata and have their own EULA ID. It's possible for multiple updates to share the same EULA. It is only necessary to approve the EULA once per EULA ID, not one per update. +
The MDM must first present the EULA to IT and have them accept it before the update is approved. Failure to do this is a breach of legal or contractual obligations. The EULAs can be obtained from the update metadata and have their own EULA ID. It's possible for multiple updates to share the same EULA. It is only necessary to approve the EULA once per EULA ID, not one per update. -
The update approval list enables IT to approve individual updates and update classifications. Auto-approval by update classifications allows IT to automatically approve Definition Updates (i.e., updates to the virus and spyware definitions on devices) and Security Updates (i.e., product-specific updates for security-related vulnerability). The update approval list does not support the uninstallation of updates by revoking approval of already installed updates. Updates are approved based on UpdateID, and an UpdateID only needs to be approved once. An update UpdateID and RevisionNumber are part of the UpdateIdentity type. An UpdateID can be associated to several UpdateIdentity GUIDs due to changes to the RevisionNumber setting. MDM services must synchronize the UpdateIdentity of an UpdateID based on the latest RevisionNumber to get the latest metadata for an update. However, update approval is based on UpdateID. +
The update approval list enables IT to approve individual updates and update classifications. Auto-approval by update classifications allows IT to automatically approve Definition Updates (i.e., updates to the virus and spyware definitions on devices) and Security Updates (i.e., product-specific updates for security-related vulnerability). The update approval list does not support the uninstallation of updates by revoking approval of already installed updates. Updates are approved based on UpdateID, and an UpdateID only needs to be approved once. An update UpdateID and RevisionNumber are part of the UpdateIdentity type. An UpdateID can be associated to several UpdateIdentity GUIDs due to changes to the RevisionNumber setting. MDM services must synchronize the UpdateIdentity of an UpdateID based on the latest RevisionNumber to get the latest metadata for an update. However, update approval is based on UpdateID. > [!NOTE] > For the Windows 10 build, the client may need to reboot after additional updates are added. -
Supported operations are Get and Add. +
Supported operations are Get and Add. **ApprovedUpdates/_Approved Update Guid_** -
Specifies the update GUID. +
Specifies the update GUID. -
To auto-approve a class of updates, you can specify the Update Classifications GUIDs. We strongly recommend to always specify the DefinitionsUpdates classification (E0789628-CE08-4437-BE74-2495B842F43B), which are used for anti-malware signatures. These are released periodically (several times a day). Some businesses may also want to auto-approve security updates to get them deployed quickly. +
To auto-approve a class of updates, you can specify the Update Classifications GUIDs. We strongly recommend to always specify the DefinitionsUpdates classification (E0789628-CE08-4437-BE74-2495B842F43B), which are used for anti-malware signatures. These are released periodically (several times a day). Some businesses may also want to auto-approve security updates to get them deployed quickly. -
Supported operations are Get and Add. +
Supported operations are Get and Add. -
Sample syncml: +
Sample syncml:
```
Specifies the time the update gets approved. +
Specifies the time the update gets approved. -
Supported operations are Get and Add. +
Supported operations are Get and Add. **FailedUpdates** -
Specifies the approved updates that failed to install on a device. +
Specifies the approved updates that failed to install on a device. -
Supported operation is Get. +
Supported operation is Get. **FailedUpdates/_Failed Update Guid_** -
Update identifier field of the UpdateIdentity GUID that represents an update that failed to download or install. +
Update identifier field of the UpdateIdentity GUID that represents an update that failed to download or install. -
Supported operation is Get. +
Supported operation is Get. **FailedUpdates/*Failed Update Guid*/HResult** -
The update failure error code. +
The update failure error code. -
Supported operation is Get. +
Supported operation is Get. **FailedUpdates/*Failed Update Guid*/Status** -
Specifies the failed update status (for example, download, install). +
Specifies the failed update status (for example, download, install). -
Supported operation is Get. +
Supported operation is Get. **FailedUpdates/*Failed Update Guid*/RevisionNumber** -
Added in Windows 10, version 1703. The revision number for the update that must be passed in server to server sync to get the metadata for the update. +
Added in Windows 10, version 1703. The revision number for the update that must be passed in server to server sync to get the metadata for the update. -
Supported operation is Get. +
Supported operation is Get. **InstalledUpdates** -
The updates that are installed on the device. +
The updates that are installed on the device. -
Supported operation is Get. +
Supported operation is Get. **InstalledUpdates/_Installed Update Guid_** -
UpdateIDs that represent the updates installed on a device. +
UpdateIDs that represent the updates installed on a device. -
Supported operation is Get. +
Supported operation is Get. **InstalledUpdates/*Installed Update Guid*/RevisionNumber** -
Added in Windows 10, version 1703. The revision number for the update that must be passed in server to server sync to get the metadata for the update. +
Added in Windows 10, version 1703. The revision number for the update that must be passed in server to server sync to get the metadata for the update. -
Supported operation is Get. +
Supported operation is Get. **InstallableUpdates** -
The updates that are applicable and not yet installed on the device. This includes updates that are not yet approved. +
The updates that are applicable and not yet installed on the device. This includes updates that are not yet approved. -
Supported operation is Get. +
Supported operation is Get. **InstallableUpdates/_Installable Update Guid_** -
Update identifiers that represent the updates applicable and not installed on a device. +
Update identifiers that represent the updates applicable and not installed on a device. -
Supported operation is Get. +
Supported operation is Get. **InstallableUpdates/*Installable Update Guid*/Type** -
The UpdateClassification value of the update. Valid values are: +
The UpdateClassification value of the update. Valid values are: - 0 - None - 1 - Security - 2 - Critical -
Supported operation is Get. +
Supported operation is Get. **InstallableUpdates/*Installable Update Guid*/RevisionNumber** -
The revision number for the update that must be passed in server to server sync to get the metadata for the update. +
The revision number for the update that must be passed in server to server sync to get the metadata for the update. -
Supported operation is Get. +
Supported operation is Get. **PendingRebootUpdates** -
The updates that require a reboot to complete the update session. +
The updates that require a reboot to complete the update session. -
Supported operation is Get. +
Supported operation is Get. **PendingRebootUpdates/_Pending Reboot Update Guid_** -
Update identifiers for the pending reboot state. +
Update identifiers for the pending reboot state. -
Supported operation is Get. +
Supported operation is Get. **PendingRebootUpdates/*Pending Reboot Update Guid*/InstalledTime** -
The time the update is installed. +
The time the update is installed. -
Supported operation is Get. +
Supported operation is Get. **PendingRebootUpdates/*Pending Reboot Update Guid*/RevisionNumber** -
Added in Windows 10, version 1703. The revision number for the update that must be passed in server to server sync to get the metadata for the update. +
Added in Windows 10, version 1703. The revision number for the update that must be passed in server to server sync to get the metadata for the update. -
Supported operation is Get. +
Supported operation is Get. **LastSuccessfulScanTime** -
The last successful scan time. +
The last successful scan time. -
Supported operation is Get. +
Supported operation is Get. **DeferUpgrade** -
Upgrades deferred until the next period. +
Upgrades deferred until the next period. -
Supported operation is Get. +
Supported operation is Get. **Rollback** Added in Windows 10, version 1803. Node for the rollback operations. diff --git a/windows/client-management/mdm/vpnv2-csp.md b/windows/client-management/mdm/vpnv2-csp.md index 1fed240483..87588a2a0e 100644 --- a/windows/client-management/mdm/vpnv2-csp.md +++ b/windows/client-management/mdm/vpnv2-csp.md @@ -9,7 +9,7 @@ ms.topic: article ms.prod: w10 ms.technology: windows author: manikadhiman -ms.date: 10/30/2020 +ms.date: 09/21/2021 --- # VPNv2 CSP @@ -591,7 +591,7 @@ Valid values: - True = Register the connection's addresses in DNS. **VPNv2/**ProfileName**/DnsSuffix** -Optional. Specifies one or more comma-separated DNS suffixes. The first in the list is also used as the primary connection specific DNS suffix for the VPN Interface. The entire list will also be added into the SuffixSearchList. +Optional. Specifies one or more comma-separated DNS suffixes. The first in the list is also used as the primary connection specific DNS suffix for the VPN Interface. The entire list will also be added into the SuffixSearchList. Windows has a limit of 50 DNS suffixes that can be set. Windows name resolution will apply each suffix in order. Long DNS suffix lists may impact performance. Value type is chr. Supported operations include Get, Add, Replace, and Delete. diff --git a/windows/client-management/mdm/win32-and-centennial-app-policy-configuration.md b/windows/client-management/mdm/win32-and-centennial-app-policy-configuration.md index 3d2584ee4e..2e285342fd 100644 --- a/windows/client-management/mdm/win32-and-centennial-app-policy-configuration.md +++ b/windows/client-management/mdm/win32-and-centennial-app-policy-configuration.md @@ -1,6 +1,6 @@ --- -title: Win32 and Desktop Bridge app policy configuration -description: Starting in Windows 10, version 1703, you can import ADMX files and set those ADMX-backed policies for Win32 and Desktop Bridge apps. +title: Win32 and Desktop Bridge app ADMX policy Ingestion +description: Starting in Windows 10, version 1703, you can ingest ADMX files and set those ADMX policies for Win32 and Desktop Bridge apps. ms.author: dansimp ms.topic: article ms.prod: w10 @@ -11,21 +11,21 @@ ms.reviewer: manager: dansimp --- -# Win32 and Desktop Bridge app policy configuration +# Win32 and Desktop Bridge app ADMX policy Ingestion ## In this section - [Overview](#overview) - [Ingesting an app ADMX file](#ingesting-an-app-admx-file) - [URI format for configuring an app policy](#uri-format-for-configuring-an-app-policy) -- [ADMX-backed app policy examples](#admx-backed-app-policy-examples) +- [ADMX app policy examples](#admx-backed-app-policy-examples) - [Enabling an app policy](#enabling-an-app-policy) - [Disabling an app policy](#disabling-an-app-policy) - [Setting an app policy to not configured](#setting-an-app-policy-to-not-configured) ## Overview -Starting in Windows 10, version 1703, you can import ADMX files (also called ADMX ingestion) and set those ADMX-backed policies for Win32 and Desktop Bridge apps by using Windows 10 Mobile Device Management (MDM) on desktop SKUs. The ADMX files that define policy information can be ingested to your device by using the Policy CSP URI, `./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall`. The ingested ADMX file is then processed into MDM policies. +Starting in Windows 10, version 1703, you can ingest ADMX files (ADMX ingestion) and set those ADMX policies for Win32 and Desktop Bridge apps by using Windows 10 Mobile Device Management (MDM) on desktop SKUs. The ADMX files that define policy information can be ingested to your device by using the Policy CSP URI, `./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall`. The ingested ADMX file is then processed into MDM policies. NOTE: Starting from the following Windows 10 version Replace command is supported - Windows 10, version 1903 with KB4512941 and KB4517211 installed @@ -33,7 +33,7 @@ NOTE: Starting from the following Windows 10 version Replace command is supporte - Windows 10, version 1803 with KB4512509 and KB installed - Windows 10, version 1709 with KB4516071 and KB installed -When the ADMX policies are imported, the registry keys to which each policy is written are checked so that known system registry keys, or registry keys that are used by existing inbox policies or system components, are not overwritten. This precaution helps to avoid security concerns over opening the entire registry. Currently, the ingested policies are not allowed to write to locations within the **System**, **Software\Microsoft**, and **Software\Policies\Microsoft** keys, except for the following locations: +When the ADMX policies are ingested, the registry keys to which each policy is written are checked so that known system registry keys, or registry keys that are used by existing inbox policies or system components, are not overwritten. This precaution helps to avoid security concerns over opening the entire registry. Currently, the ingested policies are not allowed to write to locations within the **System**, **Software\Microsoft**, and **Software\Policies\Microsoft** keys, except for the following locations: - Software\Policies\Microsoft\Office\ - Software\Microsoft\Office\ @@ -58,7 +58,7 @@ When the ADMX policies are imported, the registry keys to which each policy is w - Software\Microsoft\EdgeUpdate\ > [!Warning] -> Some operating system components have built in functionality to check devices for domain membership. MDM enforces the configured policy values only if the devices are domain joined, otherwise it does not. However, you can still import ADMX files and set ADMX-backed policies regardless of whether the device is domain joined or non-domain joined. +> Some operating system components have built in functionality to check devices for domain membership. MDM enforces the configured policy values only if the devices are domain joined, otherwise it does not. However, you can still ingest ADMX files and set ADMX policies regardless of whether the device is domain joined or non-domain joined. > [!NOTE] > Settings that cannot be configured using custom policy ingestion have to be set by pushing the appropriate registry keys directly (for example, by using PowerShell script). diff --git a/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md b/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md index fc13fd3034..4f22b0b48c 100644 --- a/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md +++ b/windows/client-management/mdm/windowsadvancedthreatprotection-csp.md @@ -24,98 +24,98 @@ The following diagram shows the WDATP configuration service provider in tree for The following list describes the characteristics and parameters. **./Device/Vendor/MSFT/WindowsAdvancedThreatProtection** -
The root node for the Windows Defender Advanced Threat Protection configuration service provider. +
The root node for the Windows Defender Advanced Threat Protection configuration service provider. -
Supported operation is Get. +
Supported operation is Get. **Onboarding** -
Sets Windows Defender Advanced Threat Protection Onboarding blob and initiates onboarding to Windows Defender Advanced Threat Protection. +
Sets Windows Defender Advanced Threat Protection Onboarding blob and initiates onboarding to Windows Defender Advanced Threat Protection. -
The data type is a string. +
The data type is a string. -
Supported operations are Get and Replace. +
Supported operations are Get and Replace. **HealthState** -
Node that represents the Windows Defender Advanced Threat Protection health state. +
Node that represents the Windows Defender Advanced Threat Protection health state. **HealthState/LastConnected** -
Contains the timestamp of the last successful connection. +
Contains the timestamp of the last successful connection. -
Supported operation is Get. +
Supported operation is Get. **HealthState/SenseIsRunning** -
Boolean value that identifies the Windows Defender Advanced Threat Protection Sense running state. +
Boolean value that identifies the Windows Defender Advanced Threat Protection Sense running state. -
The default value is false. +
The default value is false. -
Supported operation is Get. +
Supported operation is Get. **HealthState/OnboardingState** -
Represents the onboarding state. +
Represents the onboarding state. -
Supported operation is Get. +
Supported operation is Get. -
The following list shows the supported values: +
The following list shows the supported values: - 0 (default) – Not onboarded. - 1 – Onboarded **HealthState/OrgId** -
String that represents the OrgID. +
String that represents the OrgID. -
Supported operation is Get. +
Supported operation is Get. **Configuration** -
Represents Windows Defender Advanced Threat Protection configuration. +
Represents Windows Defender Advanced Threat Protection configuration. **Configuration/SampleSharing** -
Returns or sets the Windows Defender Advanced Threat Protection Sample Sharing configuration parameter. +
Returns or sets the Windows Defender Advanced Threat Protection Sample Sharing configuration parameter. -
The following list shows the supported values: +
The following list shows the supported values: - 0 – None - 1 (default)– All -
Supported operations are Get and Replace. +
Supported operations are Get and Replace. **Configuration/TelemetryReportingFrequency** -
Added in Windows 10, version 1703. Returns or sets the Windows Defender Advanced Threat Protection diagnostic data reporting frequency. +
Added in Windows 10, version 1703. Returns or sets the Windows Defender Advanced Threat Protection diagnostic data reporting frequency. -
The following list shows the supported values: +
The following list shows the supported values: - 1 (default) – Normal - 2 - Expedite -
Supported operations are Get and Replace. +
Supported operations are Get and Replace. **Offboarding** -
Sets the Windows Defender Advanced Threat Protection Offboarding blob and initiates offboarding to Windows Defender Advanced Threat Protection. +
Sets the Windows Defender Advanced Threat Protection Offboarding blob and initiates offboarding to Windows Defender Advanced Threat Protection. -
The data type is a string. +
The data type is a string. -
Supported operations are Get and Replace. +
Supported operations are Get and Replace. **DeviceTagging** -
Added in Windows 10, version 1709. Represents Windows Defender Advanced Threat Protection configuration for managing role based access and device tagging. +
Added in Windows 10, version 1709. Represents Windows Defender Advanced Threat Protection configuration for managing role based access and device tagging. -
Supported operations is Get. +
Supported operations is Get. **DeviceTagging/Group** -
Added in Windows 10, version 1709. Device group identifiers. +
Added in Windows 10, version 1709. Device group identifiers. -
The data type is a string. +
The data type is a string. -
Supported operations are Get and Replace. +
Supported operations are Get and Replace. **DeviceTagging/Criticality** -
Added in Windows 10, version 1709. Asset criticality value. Supported values: +
Added in Windows 10, version 1709. Asset criticality value. Supported values: - 0 - Normal - 1 - Critical -
The data type is an integer. +
The data type is an integer. -
Supported operations are Get and Replace. +
Supported operations are Get and Replace.
## Examples
diff --git a/windows/client-management/new-policies-for-windows-10.md b/windows/client-management/new-policies-for-windows-10.md
index 183335b55e..9d8d9e35c6 100644
--- a/windows/client-management/new-policies-for-windows-10.md
+++ b/windows/client-management/new-policies-for-windows-10.md
@@ -11,7 +11,7 @@ ms.mktglfcycl: manage
ms.sitesec: library
author: dansimp
ms.localizationpriority: medium
-ms.date: 10/24/2017
+ms.date: 09/15/2021
ms.topic: reference
---
@@ -20,7 +20,8 @@ ms.topic: reference
**Applies to**
-- Windows 10
+- Windows 10
+- Windows 11
As of September 2020 This page will no longer be updated. To find the Group Polices that ship in each version of Windows, refer to the Group Policy Settings Reference Spreadsheet. You can always locate the most recent version of the Spreadsheet by searching the Internet for "Windows Version + Group Policy Settings Reference".
diff --git a/windows/client-management/quick-assist.md b/windows/client-management/quick-assist.md
index acdcd2d268..ced09ebede 100644
--- a/windows/client-management/quick-assist.md
+++ b/windows/client-management/quick-assist.md
@@ -12,7 +12,7 @@ manager: laurawi
# Use Quick Assist to help users
-Quick Assist is a Windows 10 application that enables a person to share their device with another person over a remote connection. Your support staff can use it to remotely connect to a user’s device and then view its display, make annotations, or take full control. In this way, they can troubleshoot, diagnose technological issues, and provide instructions to users directly on their devices.
+Quick Assist is a Windows application that enables a person to share their device with another person over a remote connection. Your support staff can use it to remotely connect to a user’s device and then view its display, make annotations, or take full control. In this way, they can troubleshoot, diagnose technological issues, and provide instructions to users directly on their devices.
## Before you begin
diff --git a/windows/client-management/troubleshoot-tcpip-port-exhaust.md b/windows/client-management/troubleshoot-tcpip-port-exhaust.md
index 4c1e8b1b7f..3e8eeea8a1 100644
--- a/windows/client-management/troubleshoot-tcpip-port-exhaust.md
+++ b/windows/client-management/troubleshoot-tcpip-port-exhaust.md
@@ -196,4 +196,4 @@ goto loop
- [Port Exhaustion and You!](/archive/blogs/askds/port-exhaustion-and-you-or-why-the-netstat-tool-is-your-friend) - this article gives a detail on netstat states and how you can use netstat output to determine the port status
-- [Detecting ephemeral port exhaustion](/archive/blogs/yongrhee/windows-server-2012-r2-ephemeral-ports-a-k-a-dynamic-ports-hotfixes): this article has a script which will run in a loop to report the port status. (Applicable for Windows 2012 R2, Windows 8, Windows 10)
+- [Detecting ephemeral port exhaustion](/archive/blogs/yongrhee/windows-server-2012-r2-ephemeral-ports-a-k-a-dynamic-ports-hotfixes): this article has a script which will run in a loop to report the port status. (Applicable for Windows 2012 R2, Windows 8, Windows 10, and Windows 11)
diff --git a/windows/client-management/windows-libraries.md b/windows/client-management/windows-libraries.md
index a287d48be1..5db8c1238b 100644
--- a/windows/client-management/windows-libraries.md
+++ b/windows/client-management/windows-libraries.md
@@ -10,11 +10,11 @@ ms.technology: storage
ms.topic: article
author: dansimp
description: All about Windows Libraries, which are containers for users' content, such as Documents and Pictures.
-ms.date: 04/19/2017
+ms.date: 09/15/2021
---
# Windows libraries
-> Applies to: Windows 10, Windows 8.1, Windows 7, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2
+> Applies to: Windows 10, Windows 11, Windows 8.1, Windows 7, Windows Server 2016, Windows Server 2012 R2, Windows Server 2012, Windows Server 2008 R2
Libraries are virtual containers for users’ content. A library can contain files and folders stored on the local computer or in a remote storage location. In Windows Explorer, users interact with libraries in ways similar to how they would interact with other folders. Libraries are built upon the legacy known folders (such as My Documents, My Pictures, and My Music) that users are familiar with, and these known folders are automatically included in the default libraries and set as the default save location.
diff --git a/windows/configuration/TOC.yml b/windows/configuration/TOC.yml
index f44d4cea07..7e2051d237 100644
--- a/windows/configuration/TOC.yml
+++ b/windows/configuration/TOC.yml
@@ -2,6 +2,20 @@
href: index.yml
- name: Customize the appearance
items:
+ - name: Windows 11
+ items:
+ - name: Start menu
+ items:
+ - name: Customize Start menu layout
+ href: customize-start-menu-layout-windows-11.md
+ - name: Supported Start menu CSPs
+ href: supported-csp-start-menu-layout-windows.md
+ - name: Taskbar
+ items:
+ - name: Customize Taskbar
+ href: customize-taskbar-windows-11.md
+ - name: Supported Taskbar CSPs
+ href: supported-csp-taskbar-windows.md
- name: Windows 10 Start and taskbar
items:
- name: Start layout and taskbar
@@ -48,17 +62,15 @@
href: kiosk-methods.md
- name: Prepare a device for kiosk configuration
href: kiosk-prepare.md
- - name: Set up digital signs on Windows 10
+ - name: Set up digital signs
href: setup-digital-signage.md
- name: Set up a single-app kiosk
href: kiosk-single-app.md
- name: Set up a multi-app kiosk
href: lock-down-windows-10-to-specific-apps.md
- - name: Set up a shared or guest PC with Windows 10
+ - name: Set up a shared or guest PC
href: set-up-shared-or-guest-pc.md
- - name: Set up a kiosk on Windows 10 Mobile
- href: mobile-devices/set-up-a-kiosk-for-windows-10-for-mobile-edition.md
- - name: Additional kiosk reference information
+ - name: Kiosk reference information
items:
- name: More kiosk methods and reference information
href: kiosk-additional-reference.md
@@ -74,9 +86,9 @@
href: kiosk-xml.md
- name: Use AppLocker to create a Windows 10 kiosk
href: lock-down-windows-10-applocker.md
- - name: Use Shell Launcher to create a Windows 10 kiosk
+ - name: Use Shell Launcher to create a Windows client kiosk
href: kiosk-shelllauncher.md
- - name: Use MDM Bridge WMI Provider to create a Windows 10 kiosk
+ - name: Use MDM Bridge WMI Provider to create a Windows client kiosk
href: kiosk-mdm-bridge.md
- name: Troubleshoot kiosk mode issues
href: kiosk-troubleshoot.md
@@ -84,9 +96,9 @@
- name: Use provisioning packages
items:
- - name: Provisioning packages for Windows 10
+ - name: Provisioning packages for Windows client
href: provisioning-packages/provisioning-packages.md
- - name: How provisioning works in Windows 10
+ - name: How provisioning works in Windows client
href: provisioning-packages/provisioning-how-it-works.md
- name: Introduction to configuration service providers (CSPs)
href: provisioning-packages/how-it-pros-can-use-configuration-service-providers.md
@@ -106,7 +118,7 @@
href: provisioning-packages/provisioning-script-to-install-app.md
- name: Create a provisioning package with multivariant settings
href: provisioning-packages/provisioning-multivariant.md
- - name: PowerShell cmdlets for provisioning Windows 10 (reference)
+ - name: PowerShell cmdlets for provisioning Windows client (reference)
href: provisioning-packages/provisioning-powershell.md
- name: Windows Configuration Designer command-line interface (reference)
href: provisioning-packages/provisioning-command-line.md
@@ -123,7 +135,7 @@
href: cortana-at-work/cortana-at-work-testing-scenarios.md
- name: Test scenario 1 - Sign into Azure AD, enable the wake word, and try a voice query
href: cortana-at-work/cortana-at-work-scenario-1.md
- - name: Test scenario 2 - Perform a Bing search with Cortana
+ - name: Test scenario 2 - Run a Bing search with Cortana
href: cortana-at-work/cortana-at-work-scenario-2.md
- name: Test scenario 3 - Set a reminder
href: cortana-at-work/cortana-at-work-scenario-3.md
@@ -131,9 +143,9 @@
href: cortana-at-work/cortana-at-work-scenario-4.md
- name: Test scenario 5 - Find out about a person
href: cortana-at-work/cortana-at-work-scenario-5.md
- - name: Test scenario 6 - Change your language and perform a quick search with Cortana
+ - name: Test scenario 6 - Change your language and run a quick search with Cortana
href: cortana-at-work/cortana-at-work-scenario-6.md
- - name: Send feedback about Cortana back to Microsoftr
+ - name: Send feedback about Cortana back to Microsoft
href: cortana-at-work/cortana-at-work-feedback.md
- name: Testing scenarios using Cortana in Windows 10, versions 1909 and earlier, with Microsoft 365 in your organization
items:
@@ -143,13 +155,13 @@
href: cortana-at-work/testing-scenarios-using-cortana-in-business-org.md
- name: Test scenario 1 - Sign into Azure AD, enable the wake word, and try a voice query
href: cortana-at-work/test-scenario-1.md
- - name: Test scenario 2 - Perform a quick search with Cortana at work
+ - name: Test scenario 2 - Run a quick search with Cortana at work
href: cortana-at-work/test-scenario-2.md
- name: Test scenario 3 - Set a reminder for a specific location using Cortana at work
href: cortana-at-work/test-scenario-3.md
- name: Test scenario 4 - Use Cortana at work to find your upcoming meetings
href: cortana-at-work/test-scenario-4.md
- - name: Test scenario 5 - Use Cortana to send email to a co-worker
+ - name: Test scenario 5 - Use Cortana to send email to a coworker
href: cortana-at-work/test-scenario-5.md
- name: Test scenario 6 - Review a reminder suggested by Cortana based on what you’ve promised in email
href: cortana-at-work/test-scenario-6.md
@@ -335,7 +347,7 @@
href: ue-v/uev-deploy-uev-for-custom-applications.md
- name: Administer UE-V
items:
- - name: UE-V administion guide
+ - name: UE-V administration guide
href: ue-v/uev-administering-uev.md
- name: Manage Configurations for UE-V
items:
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-crm.md b/windows/configuration/cortana-at-work/cortana-at-work-crm.md
index 1190119050..983c40f7d0 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-crm.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-crm.md
@@ -1,5 +1,5 @@
---
-title: Set up and test Cortana with Microsoft Dynamics CRM (Preview feature) in your organization (Windows 10)
+title: Set up and test Cortana with Microsoft Dynamics CRM (Preview feature) in Windows
description: How to set up Cortana to give salespeople insights on important CRM activities, including sales leads, accounts, and opportunities.
ms.prod: w10
ms.mktglfcycl: manage
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-overview.md b/windows/configuration/cortana-at-work/cortana-at-work-overview.md
index 5d25f337c9..ac0783dddb 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-overview.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-overview.md
@@ -1,8 +1,8 @@
---
-title: Configure Cortana in Windows 10
+title: Configure Cortana in Windows 10 and Windows 11
ms.reviewer:
manager: dansimp
-description: Cortana includes powerful configuration options specifically to optimize for unique small to medium-sized business and enterprise environments.
+description: Cortana includes powerful configuration options specifically to optimize for unique small to medium-sized business and for enterprise environments.
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
@@ -11,11 +11,11 @@ ms.localizationpriority: medium
ms.author: greglin
---
-# Configure Cortana in Windows 10
+# Configure Cortana in Windows 10 and Windows 11
## Who is Cortana?
-Cortana is a personal productivity assistant in Microsoft 365, helping your users achieve more with less effort and focus on what matters. The Cortana app in Windows 10 helps users quickly get information across Microsoft 365, using typed or spoken queries to connect with people, check calendars, set reminders, add tasks, and more.
+Cortana is a personal productivity assistant in Microsoft 365, helping your users achieve more with less effort and focus on what matters. The Cortana app in Windows 10 and Windows 11 helps users quickly get information across Microsoft 365, using typed or spoken queries to connect with people, check calendars, set reminders, add tasks, and more.
:::image type="content" source="../screenshot1.png" alt-text="Screenshot: Cortana home page example":::
@@ -38,6 +38,9 @@ Cortana requires a PC running Windows 10, version 1703 or later, as well as the
|Azure Active Directory (Azure AD) | While all employees signing into Cortana need an Azure AD account, an Azure AD premium tenant isn't required. |
|Additional policies (Group Policy and Mobile Device Management (MDM)) |There is a rich set of policies that can be used to manage various aspects of Cortana. Most of these policies will limit the abilities of Cortana but won't turn Cortana off. For example, if you turn **Speech** off, your employees won't be able to use the wake word ("Cortana") for hands-free activation or voice commands to easily ask for help. |
+>[!NOTE]
+>For Windows 11, Cortana is no longer pinned to the taskbar by default. You can still pin the Cortana app to the taskbar as you would any other app. In addition, the keyboard shortcut that launched Cortana (Win+C) no longer opens Cortana.
+
## Signing in using Azure AD
Your organization must have an Azure AD tenant and your employees' devices must all be Azure AD-joined for the best Cortana experience. (Users may also sign into Cortana with a Microsoft account, but will not be able to use their enterprise email or calendar.) For info about what an Azure AD tenant is, how to get your devices joined, and other Azure AD maintenance info, see [Azure Active Directory documentation.](/azure/active-directory/)
@@ -46,9 +49,9 @@ Your organization must have an Azure AD tenant and your employees' devices m
Cortana's approach to integration with Microsoft 365 has changed with Windows 10, version 2004 and later.
-### Cortana in Windows 10, version 2004 and later
+### Cortana in Windows 10, version 2004 and later, or Windows 11
-Cortana enterprise services that can be accessed using Azure AD through Cortana in Windows 10, version 2004 and later, meet the same enterprise-level privacy, security, and compliance promises as reflected in the [Online Services Terms (OST)](https://www.microsoft.com/en-us/licensing/product-licensing/products). To learn more, see [Cortana in Microsoft 365](/microsoft-365/admin/misc/cortana-integration?view=o365-worldwide#what-data-is-processed-by-cortana-in-office-365).
+Cortana enterprise services that can be accessed using Azure AD through Cortana in Windows 10, version 2004 and later, or Windows 11, meet the same enterprise-level privacy, security, and compliance promises as reflected in the [Online Services Terms (OST)](https://www.microsoft.com/en-us/licensing/product-licensing/products). To learn more, see [Cortana in Microsoft 365](/microsoft-365/admin/misc/cortana-integration?view=o365-worldwide#what-data-is-processed-by-cortana-in-office-365&preserve-view=true).
#### How does Microsoft store, retain, process, and use Customer Data in Cortana?
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md b/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md
index 2d82042faa..a43fafd84b 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-policy-settings.md
@@ -1,5 +1,5 @@
---
-title: Configure Cortana with Group Policy and MDM settings (Windows 10)
+title: Configure Cortana with Group Policy and MDM settings (Windows)
description: The list of Group Policy and mobile device management (MDM) policy settings that apply to Cortana at work.
ms.prod: w10
ms.mktglfcycl: manage
@@ -25,10 +25,10 @@ manager: dansimp
> Cortana won’t work if this setting is turned off (disabled). However, on Windows 10, version 1809 and below, employees can still perform local searches even with Cortana turned off. |
|Computer Configuration\Administrative Templates\Windows Components\Search\AllowCortanaAboveLock |AboveLock/AllowCortanaAboveLock |Specifies whether an employee can interact with Cortana using voice commands when the system is locked.
> [!NOTE]
-> Cortana in Windows 10, versions 2004 and later do not currently support Above Lock. |
+> Cortana in Windows 10, versions 2004 and later, or Windows 11 do not currently support Above Lock. |
|Computer Configuration\Administrative Templates\Windows Components\App Privacy\LetAppsActivateWithVoice |[Privacy/LetAppsActivateWithVoice](/windows/client-management/mdm/policy-csp-privacy#privacy-letappsactivatewithvoice) |Specifies whether apps (such as Cortana or other voice assistants) can activate using a wake word (e.g. “Hey Cortana”).
> [!NOTE]
-> This setting only applies to Windows 10 versions 2004 and later. To disable wake word activation on Windows 10 versions 1909 and earlier, you will need to disable voice commands using Privacy/AllowInputPersonalization. |
+> This setting only applies to Windows 10 versions 2004 and later, or Windows 11. To disable wake word activation on Windows 10 versions 1909 and earlier, you will need to disable voice commands using Privacy/AllowInputPersonalization. |
|Computer Configuration\Administrative Templates\Windows Components\App Privacy\LetAppsAccessMicrophone |[Privacy/LetAppsAccessMicrophone_ForceDenyTheseApps](/windows/client-management/mdm/policy-csp-privacy#privacy-letappsaccessmicrophone-forcedenytheseapps) | Use this to disable Cortana’s access to the microphone. To do so, specify Cortana’s Package Family Name: Microsoft.549981C3F5F10_8wekyb3d8bbwe
Users will still be able to type queries to Cortana. |
|Computer Configuration\Administrative Templates\Control Panel\Regional and Language Options\Allow users to enable online speech recognition services |Privacy/AllowInputPersonalization |Specifies whether an employee can use voice commands with Cortana in your organization.
@@ -38,15 +38,15 @@ Users will still be able to type queries to Cortana. |
**In Windows 10, version 1607 and later**
Cortana still works if this setting is turned off (disabled).
**In Windows 10, version 2004 and later**
-Cortana still works if this setting is turned off (disabled). Cortana in Windows 10, versions 2004 and later do not currently use the Location service. |
+Cortana still works if this setting is turned off (disabled). Cortana in Windows 10, versions 2004 and later, or Windows 11 do not currently use the Location service. |
|None |Accounts/AllowMicrosoftAccountConnection |Specifies whether to allow employees to sign in using a Microsoft account (MSA) from Windows apps.
Disable this setting if you only want to allow users to sign in with their Azure AD account. |
|Computer Configuration\Administrative Templates\Windows Components\Search\Allow search and Cortana to use location |Search/AllowSearchToUseLocation |Specifies whether Cortana can use your current location during searches and for location reminders.
-**In Windows 10, version 2004 and later**
Cortana still works if this setting is turned off (disabled). Cortana in Windows 10, versions 2004 and later, do not currently use the Location service. |
+**In Windows 10, version 2004 and later**
Cortana still works if this setting is turned off (disabled). Cortana in Windows 10, versions 2004 and later, or Windows 11, do not currently use the Location service. |
|Computer Configuration\Administrative Templates\Windows Components\Search\Don't search the web or display web results |Search/DoNotUseWebResults |Specifies whether search can perform queries on the web and if the web results are displayed in search.
-**In Windows 10 Pro edition**
This setting can’t be managed.
-**In Windows 10 Enterprise edition**
Cortana won't work if this setting is turned off (disabled).
-**In Windows 10, version 2004 and later**
This setting no longer affects Cortana. |
+**In Windows 10 Pro edition**
This setting can’t be managed.
+**In Windows 10 Enterprise edition**
Cortana won't work if this setting is turned off (disabled).
+**In Windows 10, version 2004 and later**
This setting no longer affects Cortana.
|
|Computer Configuration\Administrative Templates\Windows Components\Search\Set the SafeSearch setting for Search |Search/SafeSearchPermissions |Specifies what level of safe search (filtering adult content) is required.
> [!NOTE]
> This setting only applies to Windows 10 Mobile. Other versions of Windows should use Don't search the web or display web results. |
\ No newline at end of file
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-powerbi.md b/windows/configuration/cortana-at-work/cortana-at-work-powerbi.md
index 481cb27659..2b3a63b028 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-powerbi.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-powerbi.md
@@ -1,5 +1,5 @@
---
-title: Set up and test Cortana for Power BI in your organization (Windows 10)
+title: Set up and test Cortana for Power BI in your organization (Windows)
description: How to integrate Cortana with Power BI to help your employees get answers directly from your key business data.
ms.prod: w10
ms.mktglfcycl: manage
@@ -25,7 +25,7 @@ Integration between Cortana and Power BI shows how Cortana can work with custom
## Before you begin
To use this walkthrough, you’ll need:
-- **Windows 10**. You’ll need to be running at least Windows 10, version 1703.
+- **Windows 10 or Windows 11**. You’ll need your PC to be running at least Windows 10, version 1703 or later, or Windows 11.
- **Cortana**. You need to have Cortana turned on and be logged into your account.
@@ -56,7 +56,7 @@ Before you can start this testing scenario, you must first set up your test envi
4. Click **Samples** from the **Content Pack Library** area of the **Get Data** screen.
- 
+ 
5. Click **Retail Analysis Sample**, and then click **Connect**.
@@ -79,7 +79,7 @@ Before you can start this testing scenario, you must first set up your test envi
>[!NOTE]
- >It can take up to 30 minutes for a new dataset to appear for Power BI and Cortana. Logging in and out of Windows 10, or otherwise restarting Cortana, causes the new content to appear immediately.
If you enable a dataset for Cortana, and that dataset is part of a content pack you own, you’ll need to re-publish for your colleagues to also use it with Cortana. + >It can take up to 30 minutes for a new dataset to appear for Power BI and Cortana. Logging in and out of Windows, or otherwise restarting Cortana, causes the new content to appear immediately.
If you enable a dataset for Cortana, and that dataset is part of a content pack you own, you’ll need to re-publish for your colleagues to also use it with Cortana.
## Create a custom Answer Page for Cortana
You must create special reports, known as _Answer Pages_, to display the most commonly asked answers in Cortana. For example, if you want Cortana to quickly show sales data to your employees, you can create a 2016 sales data Answer Page that shows sales data, with various pivots, in Cortana.
@@ -87,7 +87,7 @@ You must create special reports, known as _Answer Pages_, to display the most co
After you’ve finished creating your Answer Page, you can continue to the included testing scenarios.
>[!NOTE]
->It can take up to 30 minutes for a custom Answer Page to appear for Power BI and Cortana. Logging in and out of Windows 10, or otherwise restarting Cortana, causes the new content to appear immediately.
+>It can take up to 30 minutes for a custom Answer Page to appear for Power BI and Cortana. Logging in and out of Windows, or otherwise restarting Cortana, causes the new content to appear immediately.
**To create a custom sales data Answer Page for Cortana**
1. In Power BI, click **My Workspace**, click **Create**, and then click **Report**.
@@ -116,7 +116,7 @@ After you’ve finished creating your Answer Page, you can continue to the inclu
6. Click **File**, click **Save as**, and save the report as _Sales data 2016_.
- Because this is part of the Retail Analysis Sample, it will automatically be included as part of the dataset you included for Cortana. However, you will still need to log in and out of Windows 10, or otherwise restart Cortana, before the new content appears.
+ Because this is part of the Retail Analysis Sample, it will automatically be included as part of the dataset you included for Cortana. However, you will still need to log in and out of Windows, or otherwise restart Cortana, before the new content appears.
## Test Scenario: Use Cortana to show info from Power BI in your organization
Now that you’ve set up your device, you can use Cortana to show your info from within Power BI.
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md
index 33ac963a8e..029beac994 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-2.md
@@ -1,6 +1,6 @@
---
-title: Perform a quick search with Cortana at work (Windows 10)
-description: A test scenario about how to perform a quick search with Cortana at work.
+title: Perform a quick search with Cortana at work (Windows)
+description: This is a test scenario about how to perform a quick search with Cortana at work.
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-3.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-3.md
index b3c72fad56..23981c8033 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-3.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-3.md
@@ -1,5 +1,5 @@
---
-title: Set a reminder for a location with Cortana at work (Windows 10)
+title: Set a reminder for a location with Cortana at work (Windows)
description: A test scenario about how to set a location-based reminder using Cortana at work.
ms.prod: w10
ms.mktglfcycl: manage
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-4.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-4.md
index f5377cf7c3..ef74c5f580 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-4.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-4.md
@@ -1,6 +1,6 @@
---
-title: Use Cortana at work to find your upcoming meetings (Windows 10)
-description: A test scenario about how to use Cortana at work to find your upcoming meetings.
+title: Use Cortana at work to find your upcoming meetings (Windows)
+description: A test scenario on how to use Cortana at work to find your upcoming meetings.
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
@@ -12,7 +12,7 @@ ms.reviewer:
manager: dansimp
---
-# Test scenario 4 - Use Cortana to find free time on your calendar
+# Test scenario 4 - Use Cortana to find free time on your calendar for your upcoming meetings.
This scenario helps you find out if a time slot is free on your calendar.
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-5.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-5.md
index a434e14f90..a2cefc5ce3 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-5.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-5.md
@@ -1,5 +1,5 @@
---
-title: Use Cortana to send email to a co-worker (Windows 10)
+title: Use Cortana to send email to a co-worker (Windows)
description: A test scenario about how to use Cortana at work to send email to a co-worker.
ms.prod: w10
ms.mktglfcycl: manage
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-6.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-6.md
index 9abb865b58..b7ff043455 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-6.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-6.md
@@ -1,6 +1,6 @@
---
-title: Review a reminder suggested by Cortana (Windows 10)
-description: A test scenario about how to use Cortana with the Suggested reminders feature.
+title: Review a reminder suggested by Cortana (Windows)
+description: A test scenario on how to use Cortana with the Suggested reminders feature.
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-scenario-7.md b/windows/configuration/cortana-at-work/cortana-at-work-scenario-7.md
index 5b6970f37b..b69ff5bdc1 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-scenario-7.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-scenario-7.md
@@ -1,5 +1,5 @@
---
-title: Help protect data with Cortana and WIP (Windows 10)
+title: Help protect data with Cortana and WIP (Windows)
description: An optional test scenario about how to use Cortana at work with Windows Information Protection (WIP).
ms.prod: w10
ms.mktglfcycl: manage
diff --git a/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md b/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md
index c701623a88..61becd10f2 100644
--- a/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md
+++ b/windows/configuration/cortana-at-work/cortana-at-work-voice-commands.md
@@ -1,5 +1,5 @@
---
-title: Set up and test custom voice commands in Cortana for your organization (Windows 10)
+title: Set up and test custom voice commands in Cortana for your organization (Windows)
description: How to create voice commands that use Cortana to perform voice-enabled actions in your line-of-business (LOB) Universal Windows Platform (UWP) apps.
ms.prod: w10
ms.mktglfcycl: manage
diff --git a/windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10.md b/windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10.md
index addf307b70..a4f82f1aac 100644
--- a/windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10.md
+++ b/windows/configuration/cortana-at-work/set-up-and-test-cortana-in-windows-10.md
@@ -2,7 +2,7 @@
title: Set up and test Cortana in Windows 10, version 2004 and later
ms.reviewer:
manager: dansimp
-description: Cortana includes powerful configuration options specifically to optimize for unique small to medium-sized business and enterprise environments.
+description: Cortana includes powerful configuration options specifically to optimize unique small to medium-sized business and enterprise environments.
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
@@ -15,7 +15,7 @@ ms.author: greglin
## Before you begin
-- If your enterprise had previously disabled Cortana for your employees using the **Computer Configuration\Administrative Templates\Windows Components\Search\Allow Cortana** Group Policy or the **Experience\AllowCortana** MDM setting but want to enable it now that Cortana is part of Microsoft 365, you will need to re-enable it at least for Windows 10, version 2004 and later.
+- If your enterprise had previously disabled Cortana for your employees using the **Computer Configuration\Administrative Templates\Windows Components\Search\Allow Cortana** Group Policy or the **Experience\AllowCortana** MDM setting but want to enable it now that Cortana is part of Microsoft 365, you will need to re-enable it at least for Windows 10, version 2004 and later, or Windows 11.
- **Cortana is regularly updated through the Microsoft Store.** Beginning with Windows 10, version 2004, Cortana is an appx preinstalled with Windows and is regularly updated through the Microsoft Store. To receive the latest updates to Cortana, you will need to [enable updates through the Microsoft Store](../stop-employees-from-using-microsoft-store.md).
## Set up and configure the Bing Answers feature
diff --git a/windows/configuration/cortana-at-work/test-scenario-4.md b/windows/configuration/cortana-at-work/test-scenario-4.md
index b15cd265db..6a77d8dcda 100644
--- a/windows/configuration/cortana-at-work/test-scenario-4.md
+++ b/windows/configuration/cortana-at-work/test-scenario-4.md
@@ -1,5 +1,5 @@
---
-title: Use Cortana at work to find your upcoming meetings (Windows 10)
+title: Use Cortana to find your upcoming meetings at work (Windows)
description: A test scenario about how to use Cortana at work to find your upcoming meetings.
ms.prod: w10
ms.mktglfcycl: manage
@@ -12,7 +12,7 @@ ms.reviewer:
manager: dansimp
---
-# Test scenario 4 - Use Cortana at work to find your upcoming meetings
+# Test scenario 4 - Use Cortana to find your upcoming meetings at work
>[!Important]
>The data created as part of these scenarios will be uploaded to Microsoft’s Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering.
diff --git a/windows/configuration/cortana-at-work/test-scenario-5.md b/windows/configuration/cortana-at-work/test-scenario-5.md
index 3dabe7811b..3338b84019 100644
--- a/windows/configuration/cortana-at-work/test-scenario-5.md
+++ b/windows/configuration/cortana-at-work/test-scenario-5.md
@@ -1,6 +1,6 @@
---
-title: Use Cortana to send email to a co-worker (Windows 10)
-description: A test scenario about how to use Cortana at work to send email to a co-worker.
+title: Use Cortana to send an email to co-worker (Windows)
+description: A test scenario on how to use Cortana at work to send email to a co-worker.
ms.prod: w10
ms.mktglfcycl: manage
ms.sitesec: library
@@ -12,7 +12,7 @@ ms.reviewer:
manager: dansimp
---
-# Test scenario 5 - Use Cortana to send email to a co-worker
+# Test scenario 5 - Use Cortana to send an email to co-worker
>[!Important]
>The data created as part of these scenarios will be uploaded to Microsoft’s Cloud to help Cortana learn and help your employees. This is the same info that Cortana uses in the consumer offering.
diff --git a/windows/configuration/customize-start-menu-layout-windows-11.md b/windows/configuration/customize-start-menu-layout-windows-11.md
new file mode 100644
index 0000000000..f10b516b5c
--- /dev/null
+++ b/windows/configuration/customize-start-menu-layout-windows-11.md
@@ -0,0 +1,184 @@
+---
+title: Add or remove pinned apps on the Start menu in Windows 11 | Microsoft Docs
+description: Export Start layout to LayoutModification.json with pinned apps, and add or remove pinned apps. Use the JSON text in an MDM policy to deploy a custom Start menu layout to Windows 11 devices.
+ms.assetid:
+manager: dougeby
+ms.author: mandia
+ms.reviewer: ericpapa
+ms.prod: w11
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: mobile
+author: MandiOhlinger
+ms.localizationpriority: medium
+---
+
+# Customize the Start menu layout on Windows 11
+
+**Applies to**:
+
+- Windows 11
+
+> **Looking for OEM information?** See [Customize the Taskbar](/windows-hardware/customize/desktop/customize-the-windows-11-taskbar) and [Customize the Start layout](/windows-hardware/customize/desktop/customize-the-windows-11-start-menu).
+
+Your organization can deploy a customized Start layout to your Windows 11 devices. Customizing the Start layout is common when you have similar devices used by many users, or you want to pin specific apps.
+
+For example, you can override the default set of apps with your own a set of pinned apps, and in the order you choose. As an administrator, use this feature to pin apps, remove default pinned apps, order the apps, and more.
+
+To add apps you want pinned to the Start menu, you use a JSON file. In previous Windows versions, IT administrators used an XML file to customize the Start menu. The XML file isn't available on Windows 11 and later ***unless*** [you're an OEM](/windows-hardware/customize/desktop/customize-the-windows-11-start-menu).
+
+This article shows you how to export an existing Start menu layout, and use the JSON in a Microsoft Endpoint Manager policy.
+
+## Before you begin
+
+- When you customize the Start layout, you overwrite the entire full layout. A partial Start layout isn't available. Users can pin and unpin apps, and uninstall apps from Start. You can't prevent users from changing the layout.
+
+- It's recommended to use a Mobile Device Management (MDM) provider. MDM providers help manage your devices, and help manage apps on your devices. For Microsoft, that includes using Microsoft Endpoint Manager. Endpoint Manager includes Microsoft Intune, which is a cloud service, and Configuration Manager, which is on-premises.
+
+ In this article, we mention these services. If you're not managing your devices using an MDM provider, the following resources may help you get started:
+
+ - [Microsoft Endpoint Manager overview](/mem/endpoint-manager-overview)
+ - [What is Microsoft Intune](/mem/intune/fundamentals/what-is-intune) and [Microsoft Intune planning guide](/mem/intune/fundamentals/intune-planning-guide)
+ - [What is Configuration Manager?](/mem/configmgr/core/understand/introduction)
+
+## Start menu features and areas
+
+In Windows 11, the Start menu is redesigned with a simplified set of apps that are arranged in a grid of pages. There aren't folders, groups, or different-sized app icons:
+
+:::image type="content" source="./images/customize-start-menu-layout-windows-11/start-menu-layout.png" alt-text="Sample start menu layout on Windows 11 devices that shows pinned apps, access to all apps, and shows recommended files.":::
+
+Start has the following areas:
+
+- **Pinned**: Shows pinned apps, or a subset of all of the apps installed on the device. You can create a list of pinned apps you want on the devices using the **ConfigureStartPins** policy. **ConfigureStartPins** overrides the entire layout, which also removes apps that are pinned by default.
+
+ This article shows you [how to use the **ConfigureStartPins** policy](#get-the-pinnedlist-json).
+
+- **All apps**: Users select this option to see an alphabetical list of all the apps on the device. This section can't be customized using the JSON file.
+
+ The [Start/HideFrequentlyUsedApps CSP](/windows/client-management/mdm/policy-csp-start#start-hidefrequentlyusedapps) exposes settings that configure the "Most used" section, which is at the top of the all apps list.
+
+ In **Endpoint Manager**, you can configure this Start menu layout feature, and more. For more information on the Start menu settings you can configure in an Endpoint Manager policy, see [Windows 10/11 device settings to allow or restrict features](/mem/intune/configuration/device-restrictions-windows-10#start).
+
+ In **Group Policy**, there are policies that include settings that control the Start menu layout. Some policies may not work as expected. Be sure to test your policies before broadly deploying them across your devices:
+
+ - `Computer Configuration\Administrative Templates\Start Menu and Taskbar`
+ - `User Configuration\Administrative Templates\Start Menu and Taskbar`
+
+- **Recommended**: Shows recently opened files and recently installed apps. This section can't be customized using the JSON file.
+
+ The [Start/HideRecentJumplists CSP](/windows/client-management/mdm/policy-csp-start#start-hiderecentjumplists) exposes settings that prevent files from showing in this section. This CSP also hides recent files that show from the taskbar.
+
+ In **Endpoint Manager**, you can configure this feature, and more. For more information on the Start menu settings you can configure in an Endpoint Manager policy, see [Windows 10/11 device settings to allow or restrict features](/mem/intune/configuration/device-restrictions-windows-10#start).
+
+ In **Group Policy**, there are policies that include settings that control the Start menu layout. Some policies may not work as expected. Be sure to test your policies before broadly deploying them across your devices:
+
+ - `Computer Configuration\Administrative Templates\Start Menu and Taskbar`
+ - `User Configuration\Administrative Templates\Start Menu and Taskbar`
+
+## Create the JSON file
+
+On an existing Windows 11 device, set up your own Start layout with the pinned apps you want users to see. Then, use the [Windows PowerShell Export-StartLayout](/powershell/module/startlayout/export-startlayout) cmdlet to export the existing layout to a `LayoutModification.json` file.
+
+The JSON file controls the Start menu layout, and lists all the apps that are pinned. You can update the JSON file to:
+
+- Change the order of existing apps. The apps in the JSON file are shown on Start in the same order.
+- Add more apps by entering the app ID. For more information, see [Get the pinnedList JSON](#get-the-pinnedlist-json) (in this article).
+
+If you're familiar with creating JSON files, you can create your own `LayoutModification.json` file. But, it's easier and faster to export the layout from an existing device.
+
+### Export an existing Start layout
+
+1. Create a folder to save the `.json` file. For example, create the `C:\Layouts` folder.
+2. On a Windows 11 device, open the Windows PowerShell app.
+3. Run the following cmdlet. Name the file `LayoutModification.json`.
+
+ ```powershell
+ Export-StartLayout -Path "C:\Layouts\LayoutModification.json"
+ ```
+
+### Get the pinnedList JSON
+
+1. Open the `LayoutModification.json` file in a JSON editor, such as Visual Studio Code or Notepad. For more information, see [edit JSON with Visual Studio Code](https://code.visualstudio.com/docs/languages/json).
+2. In the file, you see the `pinnedList` section. This section includes all of the pinned apps. Copy the `pinnedList` content in the JSON file. You'll use it in the next section.
+
+ In the following example, you see that Microsoft Edge, Microsoft Word, the Microsoft Store app, and Notepad are pinned:
+
+ ```json
+ {
+ "pinnedList": [
+ { "desktopAppId": "MSEdge" },
+ { "desktopAppId": "Microsoft.Office.WINWORD.EXE.15" },
+ { "packagedAppId": "Microsoft.WindowsStore_8wekyb3d8bbwe!App" },
+ { "packagedAppId": "Microsoft.WindowsNotepad_8wekyb3d8bbwe!App" }
+ ]
+ }
+ ```
+
+3. Starting with Windows 11, the **ConfigureStartPins** policy is available. This policy uses the `LayoutModification.json` file to add apps to the Pinned section. In your JSON file, you can add more apps to this section using the following keys:
+
+ ---
+ | Key | Description |
+ | --- | --- |
+ | packagedAppID | Use this option for Universal Windows Platform apps. To pin a UWP app, use the app's AUMID.|
+ | desktopAppID | Use this option for unpackaged Win32 apps. To pin a Win32 app, use the app's AUMID. If the app doesn't have an AUMID, then enter the `desktopAppLink` instead. |
+ | desktopAppLink | Use this option for unpackaged Win32 apps that don't have an associated AUMID. To pin this type of app, use the path to the `.lnk` shortcut that points to the app. |
+
+## Use MDM to create and deploy a pinned list policy
+
+Now that you have the JSON syntax, you're ready to deploy your customized Start layout to devices in your organization.
+
+MDM providers can deploy policies to devices managed by the organization, including organization-owned devices, and personal or bring your own device (BYOD). Using an MDM provider, such as Microsoft Endpoint Manager, you can deploy a policy that configures the pinned list.
+
+This section shows you how to create a pinned list policy in Endpoint Manager. There isn't a Group Policy to create a pinned list.
+
+### Create a pinned list using an Endpoint Manager policy
+
+To deploy this policy, the devices must be enrolled, and managed by your organization. For more information, see [What is device enrollment?](/mem/intune/enrollment/device-enrollment).
+
+1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+2. Select **Devices** > **Configuration profiles** > **Create profile**.
+3. Enter the following properties:
+
+ - **Platform**: Select **Windows 10 and later**.
+ - **Profile**: Select **Templates** > **Custom**.
+
+4. Select **Create**.
+5. In **Basics**, enter the following properties:
+
+ - **Name**: Enter a descriptive name for the profile. Name your profiles so you can easily identify them later. For example, a good profile name is **Win11: Custom Start layout**.
+ - **Description**: Enter a description for the profile. This setting is optional, and recommended.
+
+6. Select **Next**.
+7. In **Configuration settings** > **OMA-URI**, select **Add**. Add the following properties:
+
+ - **Name**: Enter something like **Configure Start pins**.
+ - **Description**: Enter a description for the row. This setting is optional, and recommended.
+ - **OMA-URI**: Enter `./Vendor/MSFT/Policy/Config/Start/ConfigureStartPins`.
+ - **Data type**: Select **String**.
+ - **Value**: Paste the JSON you created or updated in the previous section. For example, enter the following text:
+
+ ```json
+ {
+ "pinnedList": [
+ { "desktopAppId": "MSEdge" },
+ { "desktopAppId": "Microsoft.Office.WINWORD.EXE.15" },
+ { "packagedAppId": "Microsoft.WindowsStore_8wekyb3d8bbwe!App" },
+ { "packagedAppId": "Microsoft.WindowsNotepad_8wekyb3d8bbwe!App" }
+ ]
+ }
+ ```
+
+ Your settings look similar to the following settings:
+
+ :::image type="content" source="./images/customize-start-menu-layout-windows-11/endpoint-manager-admin-center-custom-oma-uri-start-layout.png" alt-text="Custom OMA-URI settings to customize Start menu layout using pinnedList":::
+
+8. Select **Save** > **Next** to save your changes.
+9. Configure the rest of the policy settings. For more specific information, see [Create a profile with custom settings](/mem/intune/configuration/custom-settings-configure).
+
+The Windows OS exposes many CSPs that apply to the Start menu. For a list, see [Supported CSP policies for Windows 11 Start menu](supported-csp-start-menu-layout-windows.md).
+
+### Deploy the policy using Endpoint Manager
+
+When the policy is created, you can deploy it now, or deploy it later. Since this policy is a customized Start layout, the policy can be deployed anytime, including before users sign in the first time.
+
+For more information and guidance on assigning policies to devices in your organization, see [Assign user and device profiles](/mem/intune/configuration/device-profile-assign).
diff --git a/windows/configuration/customize-taskbar-windows-11.md b/windows/configuration/customize-taskbar-windows-11.md
new file mode 100644
index 0000000000..5cbfc1ef09
--- /dev/null
+++ b/windows/configuration/customize-taskbar-windows-11.md
@@ -0,0 +1,246 @@
+---
+title: Configure and customize Windows 11 taskbar | Microsoft Docs
+description: On Windows 11 devices, pin and unpin default apps and organization apps on the taskbar using an XML file. Deploy the taskbar XML file using Group Policy or MDM and Microsoft Endpoint Manager. See what happens to the taskbar when the Windows OS client is installed or upgraded.
+ms.assetid:
+manager: dougeby
+ms.author: mandia
+ms.reviewer: chataylo
+ms.prod: w11
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: mobile
+author: MandiOhlinger
+ms.localizationpriority: medium
+---
+
+# Customize the Taskbar on Windows 11
+
+**Applies to**:
+
+- Windows 11
+
+> **Looking for OEM information?** See [Customize the Taskbar](/windows-hardware/customize/desktop/customize-the-windows-11-taskbar) and [Customize the Start layout](/windows-hardware/customize/desktop/customize-the-windows-11-start-menu).
+
+Your organization can deploy a customized taskbar to your Windows devices. Customizing the taskbar is common when your organization uses a common set of apps, or wants to bring attention to specific apps. You can also remove the default pinned apps.
+
+For example, you can override the default set of apps with your own a set of pinned apps, and in the order you choose. As an administrator, use this feature to pin apps, remove default pinned apps, order the apps, and more on the taskbar.
+
+To add apps you want pinned to the taskbar, you use an XML file. You can use an existing XML file, or create a new file. If you have an XML file that's used on Windows 10 devices, you can also use it on Windows 11 devices. You may have to update the App IDs.
+
+This article shows you how to create the XML file, add apps to the XML, and deploy the XML file.
+
+## Before you begin
+
+- There isn't a limit on the number of apps that you can pin. In the XML file, add apps using the [Application User Model ID (AUMID)](./find-the-application-user-model-id-of-an-installed-app.md) or Desktop Application Link Path (the local path to the app).
+
+- There are some situations that an app pinned in your XML file won't be pinned in the taskbar. For example, if an app isn't approved or installed for a user, then the pinned icon won't show on the taskbar.
+
+- The order of apps in the XML file dictates the order of pinned apps on the taskbar, from left to right, and to the right of any existing apps pinned by the user. If the OS is configured to use a right-to-left language, then the taskbar order is reversed.
+
+- Some classic Windows applications are packaged differently than they were in previous versions of Windows, including Notepad and File Explorer. Be sure to enter the correct AppID. For more information, see [Application User Model ID (AUMID)](./find-the-application-user-model-id-of-an-installed-app.md) and [Get the AUMID and Desktop app link path](#get-the-aumid-and-desktop-app-link-path) (in this article).
+
+- It's recommended to use a Mobile Device Management (MDM) provider. MDM providers help manage your devices, and help manage apps on your devices. For Microsoft, that includes using Microsoft Endpoint Manager. Endpoint Manager includes Microsoft Intune, which is a cloud service, and Configuration Manager, which is on-premises.
+
+ In this article, we mention these services. If you're not managing your devices using an MDM provider, the following resources may help you get started:
+
+ - [Microsoft Endpoint Manager overview](/mem/endpoint-manager-overview)
+ - [What is Microsoft Intune](/mem/intune/fundamentals/what-is-intune) and [Microsoft Intune planning guide](/mem/intune/fundamentals/intune-planning-guide)
+ - [What is Configuration Manager?](/mem/configmgr/core/understand/introduction)
+
+## Create the XML file
+
+1. In a text editor, such as Visual Studio Code, create a new XML file. To help you get started, you can copy and paste the following XML sample. The sample pins two apps to the taskbar - File Explorer and the Command Prompt:
+
+ ```xml
+
+ Accessibility Assigned access does not change Ease of Access settings. We recommend that you use Keyboard Filter to block the following key combinations that bring up accessibility features: Left Alt+Left Shift+Print Screen Open High Contrast dialog box. Left Alt+Left Shift+Num Lock Open Mouse Keys dialog box. Windows logo key+U Open Ease of Access Center. Assigned access Windows PowerShell cmdlets In addition to using the Windows UI, you can use the Windows PowerShell cmdlets to set or clear assigned access. For more information, see Assigned access Windows PowerShell reference. Key sequences blocked by assigned access When in assigned access, some key combinations are blocked for assigned access users. Alt+F4, Alt+Shift+Tab, Alt+Tab are not blocked by Assigned Access, it is recommended you use Keyboard Filter to block these key combinations. Ctrl+Alt+Delete is the key to break out of Assigned Access. If needed, you can use Keyboard Filter to configure a different key combination to break out of assigned access by setting BreakoutKeyScanCode as described in WEKF_Settings. Alt+Esc Cycle through items in the reverse order from which they were opened. Ctrl+Alt+Esc Cycle through items in the reverse order from which they were opened. Ctrl+Esc Open the Start screen. Ctrl+F4 Close the window. Ctrl+Shift+Esc Open Task Manager. Ctrl+Tab Switch windows within the application currently open. LaunchApp1 Open the app that is assigned to this key. LaunchApp2 Open the app that is assigned to this key, which on many Microsoft keyboards is Calculator. LaunchMail Open the default mail client. Windows logo key Open the Start screen. Keyboard Filter settings apply to other standard accounts. Key sequences blocked by Keyboard Filter If Keyboard Filter is turned ON then some key combinations are blocked automatically without you having to explicitly block them. For more information, see the Keyboard Filter reference topic. Keyboard Filter is only available on Windows 10 Enterprise or Windows 10 Education. Power button Customizations for the Power button complement assigned access, letting you implement features such as removing the power button from the Welcome screen. Removing the power button ensures the user cannot turn off the device when it is in assigned access. For more information on removing the power button or disabling the physical power button, see Custom Logon. Unified Write Filter (UWF) UWFsettings apply to all users, including those with assigned access. For more information, see Unified Write Filter. WEDL_AssignedAccess class Although you can use this class to configure and manage basic lockdown features for assigned access, we recommend that you use the Windows PowerShell cmdlets instead. If you need to use assigned access API, see WEDL_AssignedAccess. Welcome Screen Customizations for the Welcome screen let you personalize not only how the Welcome screen looks, but for how it functions. You can disable the power or language button, or remove all user interface elements. There are many options to make the Welcome screen your own. For more information, see Custom Logon.
- Optionally, you can click **Browse** to change the default output location.
+7. Select **Next** to specify the output location where you want the provisioning package to go once it's built. By default, Windows ICD uses the project folder as the output location.
+ Optionally, you can select **Browse** to change the default output location.
-8. Click **Next**.
+8. Select **Next**.
-9. Click **Build** to start building the package. The project information is displayed in the build page and the progress bar indicates the build status.
- If you need to cancel the build, click **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**.
+9. Select **Build** to start building the package. The project information is displayed in the build page and the progress bar indicates the build status.
+ If you need to cancel the build, select **Cancel**. This cancels the current build process, closes the wizard, and takes you back to the **Customizations Page**.
10. If your build fails, an error message will show up that includes a link to the project folder. You can scan the logs to determine what caused the error. Once you fix the issue, try building the package again.
If your build is successful, the name of the provisioning package, output directory, and project directory will be shown.
- - If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, click **Back** to change the output package name and path, and then click **Next** to start another build.
+ - If you choose, you can build the provisioning package again and pick a different path for the output package. To do this, select **Back** to change the output package name and path, and then select **Next** to start another build.
- - If you are done, click **Finish** to close the wizard and go back to the **Customizations Page**.
+ - If you are done, select **Finish** to close the wizard and go back to the **Customizations Page**.
11. Select the **output location** link to go to the location of the package. You can provide that .ppkg to others through any of the following methods:
@@ -184,33 +185,25 @@ For details about the settings you can customize in provisioning packages, see [
- Email
- - USB tether (mobile only)
-
- - NFC (mobile only)
-
-
-
**Next step**: [How to apply a provisioning package](provisioning-apply-package.md)
## Learn more
- Watch the video: [Provisioning Windows 10 Devices with New Tools](https://go.microsoft.com/fwlink/p/?LinkId=615921)
-
-- Watch the video: [Windows 10 for Mobile Devices: Provisioning Is Not Imaging](https://go.microsoft.com/fwlink/p/?LinkId=615922)
-## Related topics
+## Related articles
-- [Provisioning packages for Windows 10](provisioning-packages.md)
-- [How provisioning works in Windows 10](provisioning-how-it-works.md)
+- [Provisioning packages for Windows client](provisioning-packages.md)
+- [How provisioning works in Windows client](provisioning-how-it-works.md)
- [Install Windows Configuration Designer](provisioning-install-icd.md)
- [Create a provisioning package](provisioning-create-package.md)
- [Apply a provisioning package](provisioning-apply-package.md)
- [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md)
- [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md)
- [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md)
-- [PowerShell cmdlets for provisioning Windows 10 (reference)](provisioning-powershell.md)
+- [PowerShell cmdlets for provisioning Windows client (reference)](provisioning-powershell.md)
- [NFC-based device provisioning](../mobile-devices/provisioning-nfc.md)
- [Use the package splitter tool](../mobile-devices/provisioning-package-splitter.md)
- [Windows Configuration Designer command-line interface (reference)](provisioning-command-line.md)
-- [Create a provisioning package with multivariant settings](provisioning-multivariant.md)
\ No newline at end of file
+- [Create a provisioning package with multivariant settings](provisioning-multivariant.md)
diff --git a/windows/configuration/provisioning-packages/provisioning-apply-package.md b/windows/configuration/provisioning-packages/provisioning-apply-package.md
index 4a9381ab1c..44ef49c0ab 100644
--- a/windows/configuration/provisioning-packages/provisioning-apply-package.md
+++ b/windows/configuration/provisioning-packages/provisioning-apply-package.md
@@ -1,5 +1,5 @@
---
-title: Apply a provisioning package (Windows 10)
+title: Apply a provisioning package (Windows 10/11)
description: Provisioning packages can be applied to a device during the first-run experience (OOBE) and after ("runtime").
ms.prod: w10
ms.mktglfcycl: deploy
@@ -8,8 +8,7 @@ author: greg-lindsay
ms.author: greglin
ms.topic: article
ms.localizationpriority: medium
-ms.date: 08/22/2017
-ms.reviewer:
+ms.reviewer: gkomatsu
manager: dansimp
---
@@ -19,19 +18,16 @@ manager: dansimp
**Applies to**
- Windows 10
-- Windows 10 Mobile
+- Windows 11
-Provisioning packages can be applied to a device during the first-run experience (out-of-box experience or "OOBE") and after ("runtime").
+Provisioning packages can be applied to client devices during the first-run experience (out-of-box experience or "OOBE") and after ("runtime").
>[!NOTE]
->Applying a provisioning package to a desktop device requires administrator privileges on the device.
+>
+> - Applying a provisioning package to a desktop device requires administrator privileges on the device.
+> - You can interrupt a long-running provisioning process by pressing ESC.
-## Desktop editions
-
->[!NOTE]
->In Windows 10, version 1709, you can interrupt a long-running provisioning process by pressing ESC.
-
-### During initial setup, from a USB drive
+## During initial setup, from a USB drive
1. Start with a computer on the first-run setup screen. If the PC has gone past this screen, reset the PC to start over. To reset the PC, go to **Settings** > **Update & security** > **Recovery** > **Reset this PC**.
@@ -41,66 +37,33 @@ Provisioning packages can be applied to a device during the first-run experience
-3. The next screen asks you to select a provisioning source. Select **Removable Media** and tap **Next**.
+3. The next screen asks you to select a provisioning source. Select **Removable Media** and select **Next**.
-
-4. Select the provisioning package (\*.ppkg) that you want to apply, and tap **Next**.
+
+4. Select the provisioning package (`.ppkg`) that you want to apply, and select **Next**.
5. Select **Yes, add it**.
-
-
-### After setup, from a USB drive, network folder, or SharePoint site
+## After setup, from a USB drive, network folder, or SharePoint site
Insert the USB drive to a desktop computer, navigate to **Settings** > **Accounts** > **Access work or school** > **Add or remove a provisioning package** > **Add a package**, and select the package to install. For a provisioning package stored on a network folder or on a SharePoint site, navigate to the provisioning package and double-click it to begin installation.
-
-## Mobile editions
-### Using removable media
+## Related articles
-1. Insert an SD card containing the provisioning package into the device.
-2. Navigate to **Settings** > **Accounts** > **Access work or school** > **Add or remove a provisioning package** > **Add a package**, and select the package to install.
-
- 
-
-3. Click **Add**.
-
-4. On the device, the **Is this package from a source you trust?** message will appear. Tap **Yes, add it**.
-
- 
-
-### Copying the provisioning package to the device
-
-1. Connect the device to your PC through USB.
-
-2. On the PC, select the provisioning package that you want to use to provision the device and then drag and drop the file to your device.
-
-3. On the device, the **Is this package from a source you trust?** message will appear. Tap **Yes, add it**.
-
- 
-
-
-
-
-
-
-
-## Related topics
-
-- [Provisioning packages for Windows 10](provisioning-packages.md)
-- [How provisioning works in Windows 10](provisioning-how-it-works.md)
+- [Provisioning packages for Windows client](provisioning-packages.md)
+- [How provisioning works in Windows client](provisioning-how-it-works.md)
- [Install Windows Configuration Designer](provisioning-install-icd.md)
- [Create a provisioning package](provisioning-create-package.md)
- [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md)
- [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md)
- [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md)
-- [PowerShell cmdlets for provisioning Windows 10 (reference)](provisioning-powershell.md)
+- [PowerShell cmdlets for provisioning Windows client (reference)](provisioning-powershell.md)
- [Windows Configuration Designer command-line interface (reference)](provisioning-command-line.md)
- [Create a provisioning package with multivariant settings](provisioning-multivariant.md)
diff --git a/windows/configuration/provisioning-packages/provisioning-command-line.md b/windows/configuration/provisioning-packages/provisioning-command-line.md
index d4debef680..308f6bad92 100644
--- a/windows/configuration/provisioning-packages/provisioning-command-line.md
+++ b/windows/configuration/provisioning-packages/provisioning-command-line.md
@@ -1,6 +1,6 @@
---
-title: Windows Configuration Designer command-line interface (Windows 10)
-description:
+title: Windows Configuration Designer command-line interface (Windows 10/11)
+description: Learn more about the ICD syntax, switches, and arguments that you can use in the Windows Configuration Designer command-line interface for Windows10/11 client devices.
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
@@ -8,8 +8,7 @@ author: greg-lindsay
ms.author: greglin
ms.topic: article
ms.localizationpriority: medium
-ms.date: 07/27/2017
-ms.reviewer:
+ms.reviewer: gkomatsu
manager: dansimp
---
@@ -19,11 +18,11 @@ manager: dansimp
**Applies to**
- Windows 10
-- Windows 10 Mobile
+- Windows 11
You can use the Windows Configuration Designer command-line interface (CLI) to automate the building of provisioning packages.
-- IT pros can use the Windows Configuration Designer CLI to require less re-tooling of existing processes. You must run the Windows Configuration Designer CLI from a command window with administrator privileges.
+- IT pros can use the Windows Configuration Designer CLI to require less retooling of existing processes. You must run the Windows Configuration Designer CLI from a command window with administrator privileges.
- You must use the Windows Configuration Designer CLI and edit the customizations.xml sources to create a provisioning package with multivariant support. You need the customizations.xml file as one of the inputs to the Windows Configuration Designer CLI to build a provisioning package. For more information, see [Create a provisioning package with multivariant settings](provisioning-multivariant.md).
@@ -31,7 +30,7 @@ You can use the Windows Configuration Designer command-line interface (CLI) to a
## Syntax
-```
+``` cmd
icd.exe /Build-ProvisioningPackage /CustomizationXML: USMT_WORKING_DIR Full path to a working directory Required when USMT binaries are located on read-only media, which does not support the creation of log files or temporary storage. To set the system environment variable, at a command prompt type the following: MIG_OFFLINE_PLATFORM_ARCH 32 or 64 While operating offline, this environment variable defines the architecture of the offline system, if the system does not match the WinPE and Scanstate.exe architecture. This environment variable enables the 32-bit ScanState application to gather data from a computer with 64-bit architecture, or the 64-bit ScanState application to gather data from a computer with 32-bit architecture. This is required when auto-detection of the offline architecture doesn't function properly, for example, when the source system is running a 64-bit version of Windows XP. For example, to set this system environment variable for a 32-bit architecture, at a command prompt type the following: ScanProgramFiles The ScanProgramFiles argument is valid only when the GenerateDocPatterns function is called in a system context. This argument determines whether or not to scan the Program Files directory to gather registered file name extensions for known applications. For example, when set to TRUE, the function discovers and migrates .doc files under the Microsoft Office directory, because .doc is a file name extension registered to a Microsoft Office application. The GenerateDocPatterns function generates this inclusion pattern for .doc files: If a child folder of an included folder contains an installed application, ScanProgramFiles will also create an exclusion rule for the child folder. All folders under the application folder will be scanned recursively for registered file name extensions. False Rule 1 Rule 2 During LoadState, only C:\Data\SampleA.txt will be restored. During LoadState, all the files will be restored, overwriting the existing files on the destination computer. Verifies that My Videos exists on the source computer. Filters out the shortcuts in My Videos that do not resolve on the destination computer. This has no effect on files that are not shortcuts. For example, if there is a shortcut in My Videos on the source computer that points to C:\Folder1, that shortcut will be migrated only if C:\Folder1 exists on the destination computer. However, all other files, such as .mp3 files, migrate without any filtering. Migrates My Videos for all users. Migrates all instances of the file Usmttestfile.txt from all sub-directories under %ProgramFiles%\USMTTestFolder. Migrates the whole directory under %ProgramFiles%\USMTDIRTestFolder. Migrates all instances of MyKey under HKCU\Software\USMTTESTKEY. Migrates the entire registry hive under HKLM\Software\USMTTESTKEY. Specify up to three <role> elements within a <component> — one "Binaries" role element, one "Settings" role element and one "Data" role element. These parameters do not change the migration behavior — their only purpose is to help you categorize the settings that you are migrating. You can nest these <role> elements, but each nested element must be of the same role parameter. Specify one "Container" <role> element within a <component> element. In this case, you cannot specify any child <rules> elements, only other <component> elements. And each child <component> element must have the same type as that of parent <component> element. For example:
- If you choose to install Hyper-V using Server Manager, accept all default selections. Also be sure to install both items under Role Administration Tools\Hyper-V Management Tools.
+If you choose to install Hyper-V using Server Manager, accept all default selections. Make sure to install both items under **Role Administration Tools\Hyper-V Management Tools**.
After installation is complete, open Hyper-V Manager by typing **virtmgmt.msc** at an elevated command prompt, or by typing **Hyper-V** in the Start menu search box.
@@ -127,19 +128,19 @@ To read more about Hyper-V, see [Introduction to Hyper-V on Windows 10](/virtual
## Create a demo VM
-Now that Hyper-V is enabled, we need to create a VM running Windows 10. We can [create a VM](/virtualization/hyper-v-on-windows/quick-start/create-virtual-machine) and [virtual network](/virtualization/hyper-v-on-windows/quick-start/connect-to-network) using Hyper-V Manager, but it is simpler to use Windows PowerShell.
+Now that Hyper-V is enabled, we need to create a VM running Windows 10. We can [create a VM](/virtualization/hyper-v-on-windows/quick-start/create-virtual-machine) and [virtual network](/virtualization/hyper-v-on-windows/quick-start/connect-to-network) using Hyper-V Manager, but it's simpler to use Windows PowerShell.
-To use Windows PowerShell, we just need to know two things:
+To use Windows PowerShell, you need to know two things:
1. The location of the Windows 10 ISO file.
- In the example, we assume the location is **c:\iso\win10-eval.iso**.
+ In the example, the location is **c:\iso\win10-eval.iso**.
-2. The name of the network interface that connects to the Internet.
+2. The name of the network interface that connects to the internet.
- In the example, we use a Windows PowerShell command to determine this automatically.
+ In the example, you'll use a Windows PowerShell command to determine this automatically.
-After we have set the ISO file location and determined the name of the appropriate network interface, we can install Windows 10.
+After you determine the ISO file location and the name of the appropriate network interface, you can install Windows 10.
### Set ISO file location
@@ -149,7 +150,7 @@ When asked to select a platform, choose **64 bit**.
After you download this file, the name will be extremely long (ex: 19042.508.200927-1902.20h2_release_svc_refresh_CLIENTENTERPRISEEVAL_OEMRET_x64FRE_en-us.iso).
-1. So that it is easier to type and remember, rename the file to **win10-eval.iso**.
+1. So that it's easier to type and remember, rename the file to **win10-eval.iso**.
2. Create a directory on your computer named **c:\iso** and move the **win10-eval.iso** file there, so the path to the file is **c:\iso\win10-eval.iso**.
@@ -157,22 +158,26 @@ After you download this file, the name will be extremely long (ex: 19042.508.200
### Determine network adapter name
-The Get-NetAdaper cmdlet is used below to automatically find the network adapter that is most likely to be the one you use to connect to the Internet. You should test this command first by running the following at an elevated Windows PowerShell prompt:
+The **Get-NetAdaper** cmdlet is used to automatically find the network adapter that's most likely to be the one you use to connect to the internet. You should test this command first by running the following at an elevated Windows PowerShell prompt:
```powershell
(Get-NetAdapter |?{$_.Status -eq "Up" -and !$_.Virtual}).Name
```
-The output of this command should be the name of the network interface you use to connect to the Internet. Verify that this is the correct interface name. If it is not the correct interface name, you'll need to edit the first command below to use your network interface name.
+The output of this command should be the name of the network interface you use to connect to the internet. Verify that this is the correct interface name. If it isn't the correct interface name, you'll need to edit the first command below to use your network interface name.
-For example, if the command above displays Ethernet but you wish to use Ethernet2, then the first command below would be New-VMSwitch -Name AutopilotExternal -AllowManagementOS $true -NetAdapterName **Ethernet2**.
+For example, if the command above displays **Ethernet** but you wish to use **Ethernet2**, then the first command below would be **New-VMSwitch -Name AutopilotExternal -AllowManagementOS $true -NetAdapterName **Ethernet2**.
### Use Windows PowerShell to create the demo VM
All VM data will be created under the current path in your PowerShell prompt. Consider navigating into a new folder before running the following commands.
> [!IMPORTANT]
-> **VM switch**: a VM switch is how Hyper-V connects VMs to a network. Well-Known SID/RID S-1-5-<domain>-512 S-1-5-21-<domain>-512 Type Well-Known SID/RID S-1-5-21-<domain>-498 S-1-5-21-<root domain>-498 Type Name Parameters Name Parameters Add-BitLockerKeyProtector Name Parameters Name Parameters Add-BitLockerKeyProtector Important: Important: Notes:
(New in Windows 10, version 1809) | Go to **Group Policy Editor** > **Computer Configuration** > **Administrative Templates\\Windows Components\\Windows Update\\Display options for update notifications**
-or-
Use the MDM setting **Update/UpdateNotificationLevel** from the [**Policy/Update** configuration service provider](/windows/client-management/mdm/policy-csp-update#update-updatenotificationlevel)
-or-
Add the following registry keys as type DWORD (32-bit) in the path of **HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate**:
**\SetUpdateNotificationLevel** with a value of `1`, and **\UpdateNotificationLevel** with a value of `1` to hide all notifications except restart warnings, or value of `2` to hide all notifications, including restart warnings.
-Enable and schedule automatic updates | Go to **Group Policy Editor** > **Computer Configuration** > **Administrative Templates\\Windows Components\\Windows Update\\Configure Automatic Updates**, and select `option 4 (Auto download and schedule the install)`
-or-
Use the MDM setting **Update/AllowAutoUpdate** from the [**Policy/Update** configuration service provider](/windows/client-management/mdm/policy-csp-update#update-allowautoupdate), and select `option 3 (Auto install and restart at a specified time)`
**Note:** Installations can take from between 30 minutes and 2 hours, depending on the device, so you should schedule updates to occur when a block of 3-4 hours is available.
To schedule the automatic update, configure **Schedule Install Day**, **Schedule Install Time**, and **Schedule Install Week**.
-Enable automatic restart at the scheduled time | Go to **Group Policy Editor** > **Computer Configuration** > **Administrative Templates\\Windows Components\\Windows Update\\Always automatically restart at the scheduled time**
-Replace "blue screen" with blank screen for OS errors | Add the following registry key as DWORD (32-bit) type with a value of `1`:**HKLM\SYSTEM\CurrentControlSet\Control\CrashControl\DisplayDisabled**
-Put device in **Tablet mode**. | If you want users to be able to use the touch (on screen) keyboard, go to **Settings** > **System** > **Tablet mode** and choose **On.** Do not turn on this setting if users will not interact with the kiosk, such as for a digital sign.
-Hide **Ease of access** feature on the sign-in screen. | See [how to disable the Ease of Access button in the registry.](/windows-hardware/customize/enterprise/complementary-features-to-custom-logon#welcome-screen)
-Disable the hardware power button. | Go to **Power Options** > **Choose what the power button does**, change the setting to **Do nothing**, and then **Save changes**.
-Remove the power button from the sign-in screen. | Go to **Computer Configuration** > **Windows Settings** > **Security Settings** > **Local Policies** >**Security Options** > **Shutdown: Allow system to be shut down without having to log on** and select **Disabled.**
-Disable the camera. | Go to **Settings** > **Privacy** > **Camera**, and turn off **Let apps use my camera**.
-Turn off app notifications on the lock screen. | Go to **Group Policy Editor** > **Computer Configuration** > **Administrative Templates\\System\\Logon\\Turn off app notifications on the lock screen**.
-Disable removable media. | Go to **Group Policy Editor** > **Computer Configuration** > **Administrative Templates\\System\\Device Installation\\Device Installation Restrictions**. Review the policy settings available in **Device Installation Restrictions** for the settings applicable to your situation.**NOTE**: To prevent this policy from affecting a member of the Administrators group, in **Device Installation Restrictions**, enable **Allow administrators to override Device Installation Restriction policies**.
+- **Hide update notifications**. Starting with Windows 10 version 1809, you can hide notifications from showing on the devices. To enable this feature, you have the following options:
+ - **Use Group policy**: `Computer Configuration\Administrative Templates\Windows Components\Windows Update\Display options for update notifications`
+
+ - **Use an MDM provider**: This feature uses the [Update/UpdateNotificationLevel CSP](/windows/client-management/mdm/policy-csp-update#update-updatenotificationlevel). In Endpoint Manager, you can use the [Windows update settings](/mem/intune/protect/windows-update-settings) to manage this feature.
+
+ - **Use the registry**:
+
+ 1. Open Registry Editor (regedit).
+ 2. Go to `HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate`.
+ 3. Create a **New** > **DWORD (32-bit) Value**. Enter `SetUpdateNotificationLevel`, and set its value to `1`.
+ 4. Create a **New** > **DWORD (32-bit) Value**. Enter `UpdateNotificationLevel`. For value, you can enter:
+
+ - `1`: Hides all notifications except restart warnings.
+ - `2`: Hides all notifications, including restart warnings.
+
+- **Enable and schedule automatic updates**. To enable this feature, you have the following options:
+
+ - **Use Group policy**: `Computer Configuration\Administrative Templates\Windows Components\Windows Update\Configure Automatic Updates`. Select `4 - Auto download and schedule the install`.
+ - **Use an MDM provider**: This feature uses the [Update/AllowAutoUpdate CSP](/windows/client-management/mdm/policy-csp-update#update-allowautoupdate). Select `3 - Auto install and restart at a specified time`. In Endpoint Manager, you can use the [Windows update settings](/mem/intune/protect/windows-update-settings) to manage this feature.
+
+ You can also schedule automatic updates, including **Schedule Install Day**, **Schedule Install Time**, and **Schedule Install Week**. Installations can take between 30 minutes and 2 hours, depending on the device. Schedule updates to occur when a block of 3-4 hours is available.
+
+- **Enable automatic restart at the scheduled time**. To enable this feature, you have the following options:
+
+ - **Use Group policy**: `Computer Configuration\Administrative Templates\Windows Components\Windows Update\Always automatically restart at the scheduled time`. Select `4 - Auto download and schedule the install`.
+
+ - **Use an MDM provider**: This feature uses the [Update/ActiveHoursStart](/windows/client-management/mdm/policy-csp-update#update-activehoursstart) and [Update/ActiveHoursEnd](/windows/client-management/mdm/policy-csp-update#update-activehoursend) CSPs. In Endpoint Manager, you can use the [Windows update settings](/mem/intune/protect/windows-update-settings) to manage this feature.
+
+- **Replace "blue screen" with blank screen for OS errors**. To enable this feature, use the Registry Editor:
+
+ 1. Open Registry Editor (regedit).
+ 2. Go to `HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl`.
+ 3. Create a **New** > **DWORD (32-bit) Value**. Enter `DisplayDisabled`, and set its value to `1`.
+
+- **Put device in "Tablet mode"**. If you want users to use the touch screen, without using a keyboard or mouse, then turn on tablet mode using the Settings app. If users won't interact with the kiosk, such as for a digital sign, then don't turn on this setting.
+
+ Applies to Windows 10 only. Currently, Tablet mode isn't supported on Windows 11.
+
+ Your options:
+
+ - Use the **Settings** app:
+ 1. Open the **Settings** app.
+ 2. Go to **System** > **Tablet mode**.
+ 3. Configure the settings you want.
+
+ - Use the **Action Center**:
+ 1. On your device, swipe in from the left.
+ 2. Select **Tablet mode**.
+
+- **Hide "Ease of access" feature on the sign-in screen**: To enable this feature, you have the following options:
+
+ - **Use an MDM provider**: In Endpoint Manager, you can use the [Control Panel and Settings](/mem/intune/configuration/device-restrictions-windows-10#control-panel-and-settings) to manage this feature.
+ - **Use the registry**: For more information, see [how to disable the Ease of Access button in the registry](/windows-hardware/customize/enterprise/complementary-features-to-custom-logon#welcome-screen).
+
+- **Disable the hardware power button**: To enable this feature, you have the following options:
+
+ - **Use the Settings app**:
+ 1. Open the **Settings** app.
+ 2. Go to **System** > **Power & Sleep** > **Additional power settings** > **Choose what the power button does**.
+ 3. Select **Do nothing**.
+ 4. **Save changes**.
+
+ - **Use Group Policy**: Your options:
+
+ - `Computer Configuration\Administrative Templates\System\Power Management\Button Settings`: Set `Select Power Button Action on Battery` and `Select Power Button Action on Plugged In` to **Take no action**.
+ - `User Configuration\Administrative Templates\Start Menu and Taskbar\Remove and prevent access to the Shut Down, Restart, Sleep, and Hibernate commands`: This policy hides the buttons, but doesn't disable them.
+ - `Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\Shut down the system`: Remove the users or groups from this policy.
+
+ To prevent this policy from affecting a member of the Administrators group, be sure to keep the Administrators group.
+
+ - **Use an MDM provider**: In Endpoint Manager, you have some options:
+
+ - [Settings Catalog](/mem/intune/configuration/settings-catalog): This option lists all the settings you can configure, including the administrative templates used in on-premises Group Policy. Configure the following settings:
+
+ - `Power\Select Power Button Action on Battery`: Set to **Take no action**.
+ - `Power\Select Power Button Action on Plugged In`: Set to **Take no action**.
+ - `Start\Hide Power Button`: Set to **Enabled**. This policy hides the button, but doesn't disable it.
+
+ - [Administrative templates](/mem/intune/configuration/administrative-templates-windows): These templates are the administrative templates used in on-premises Group Policy. Configure the following setting:
+
+ - `\Start menu and Taskbar\Remove and prevent access to the Shut Down, Restart, Sleep, and Hibernate commands`: This policy hides the buttons, but doesn't disable them.
+
+ When looking at settings, check the supported OS for each setting to make sure it applies.
+
+ - [Start settings in a device configuration profile](/mem/intune/configuration/device-restrictions-windows-10#start): This option shows this setting, and all the Start menu settings you can manage.
+
+- **Remove the power button from the sign-in screen**. To enable this feature, you have the following options:
+
+ - **Use Group Policy**: `Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Shutdown: Allow system to be shut down without having to log on`. Select **Disabled**.
+
+ - **Use MDM**: In Endpoint Manager, you have the following option:
+
+ - [Settings Catalog](/mem/intune/configuration/settings-catalog): This option lists all the settings you can configure, including the administrative templates used in on-premises Group Policy. Configure the following setting:
+
+ - `Local Policies Security Options\Shutdown Allow System To Be Shut Down Without Having To Log On`: Set to **Disabled**.
+
+- **Disable the camera**: To enable this feature, you have the following options:
+
+ - **Use the Settings app**:
+ 1. Open the **Settings** app.
+ 2. Go to **Privacy** > **Camera**.
+ 3. Select **Allow apps use my camera** > **Off**.
+
+ - **Use Group Policy**: `Computer Configuration\Administrative Templates\Windows Components\Camera: Allow use of camera`: Select **Disabled**.
+
+ - **Use an MDM provider**: This feature uses the [Policy CSP - Camera](/windows/client-management/mdm/policy-csp-camera). In Endpoint Manager, you have the following options:
+
+ - [General settings in a device configuration profile](/mem/intune/configuration/device-restrictions-windows-10#general): This option shows this setting, and more settings you can manage.
+ - [Settings Catalog](/mem/intune/configuration/settings-catalog): This option lists all the settings you can configure, including the administrative templates used in on-premises Group Policy. Configure the following setting:
+
+ - `Camera\Allow camera`: Set to **Not allowed**.
+
+- **Turn off app notifications on the lock screen**: To enable this feature, you have the following options:
+
+ - **Use the Settings app**:
+
+ 1. Open the **Settings** app.
+ 2. Go to **System** > **Notifications & actions**.
+ 3. In **Show notifications on the lock screen**, select **Off**.
+
+ - **Use Group policy**:
+ - `Computer Configuration\Administrative Templates\System\Logon\Turn off app notifications on the lock screen`: Select **Enabled**.
+ - `User Configuration\Administrative Templates\Start Menu and Taskbar\Notifications\Turn off toast notifications on the lock screen`: Select **Enabled**.
+
+ - **Use an MDM provider**: This feature uses the [AboveLock/AllowToasts CSP](/windows/client-management/mdm/policy-csp-abovelock#abovelock-allowtoasts). In Endpoint Manager, you have the following options:
+
+ - [Locked screen experience device configuration profile](/mem/intune/configuration/device-restrictions-windows-10#locked-screen-experience): See this setting, and more settings you can manage.
+
+ - [Administrative templates](/mem/intune/configuration/administrative-templates-windows): These templates are the administrative templates used in on-premises Group Policy. Configure the following settings:
+
+ - `\Start Menu and Taskbar\Notifications\Turn off toast notifications on the lock screen`: Select **Enabled**.
+ - `\System\Logon\Turn off app notifications on the lock screen`: Select **Enabled**.
+
+ When looking at settings, check the supported OS for each setting to make sure it applies.
+
+ - [Settings Catalog](/mem/intune/configuration/settings-catalog): This option lists all the settings you can configure, including the administrative templates used in on-premises Group Policy. Configure the following settings:
+
+ - `\Start Menu and Taskbar\Notifications\Turn off toast notifications on the lock screen`: Select **Enabled**.
+ - `\System\Logon\Turn off app notifications on the lock screen`: Select **Enabled**.
+
+- **Disable removable media**: To enable this feature, you have the following options:
+
+ - **Use Group policy**: `Computer Configuration\Administrative Templates\System\Device Installation\Device Installation Restrictions`. Review the available settings that apply to your situation.
+
+ To prevent this policy from affecting a member of the Administrators group, select `Allow administrators to override Device Installation Restriction policies` > **Enabled**.
+
+ - **Use an MDM provider**: In Endpoint Manager, you have the following options:
+
+ - [General settings in a device configuration profile](/mem/intune/configuration/device-restrictions-windows-10#general): See the **Removable storage** setting, and more settings you can manage.
+
+ - [Administrative templates](/mem/intune/configuration/administrative-templates-windows): These templates are the administrative templates used in on-premises Group Policy. Configure the following settings:
+
+ - `\System\Device Installation`: There are several policies you can manage, including restrictions in `\System\Device Installation\Device Installation Restrictions`.
+
+ To prevent this policy from affecting a member of the Administrators group, select `Allow administrators to override Device Installation Restriction policies` > **Enabled**.
+
+ When looking at settings, check the supported OS for each setting to make sure it applies.
+
+ - [Settings Catalog](/mem/intune/configuration/settings-catalog): This option lists all the settings you can configure, including the administrative templates used in on-premises Group Policy. Configure the following settings:
+
+ - `\Administrative Templates\System\Device Installation`: There are several policies you can manage, including restrictions in `\System\Device Installation\Device Installation Restrictions`.
+
+ To prevent this policy from affecting a member of the Administrators group, select `Allow administrators to override Device Installation Restriction policies` > **Enabled**.
## Enable logging
Logs can help you [troubleshoot issues](./kiosk-troubleshoot.md) kiosk issues. Logs about configuration and runtime issues can be obtained by enabling the **Applications and Services Logs\Microsoft\Windows\AssignedAccess\Operational** channel, which is disabled by default.
-
+:::image type="content" source="images/enable-assigned-access-log.png" alt-text="On Windows client, open Event Viewer, right-click Operational, select enable log to turn on logging to help troubleshoot.":::
## Automatic logon
-In addition to the settings in the table, you may want to set up **automatic logon** for your kiosk device. When your kiosk device restarts, whether from an update or power outage, you can sign in the assigned access account manually or you can configure the device to sign in to the assigned access account automatically. Make sure that Group Policy settings applied to the device do not prevent automatic sign in.
+You may also want to set up **automatic logon** for your kiosk device. When your kiosk device restarts, from an update or power outage, you can sign in the assigned access account manually. Or, you can configure the device to sign in to the assigned access account automatically. Make sure that Group Policy settings applied to the device don't prevent automatic sign in.
> [!NOTE]
-> If you are using a Windows 10 and later device restriction CSP to set "Preferred Azure AD tenant domain", this will break the "User logon type" auto-login feature of the Kiosk profile.
+> If you are using a Windows client device restriction CSP to set "Preferred Azure AD tenant domain", this will break the "User logon type" auto-login feature of the Kiosk profile.
> [!TIP]
> If you use the [kiosk wizard in Windows Configuration Designer](kiosk-single-app.md#wizard) or [XML in a provisioning package](lock-down-windows-10-to-specific-apps.md) to configure your kiosk, you can set an account to sign in automatically in the wizard or XML.
@@ -88,7 +245,7 @@ In addition to the settings in the table, you may want to set up **automatic log
- *DefaultPassword*: set value as the password for the account.
> [!NOTE]
- > If *DefaultUserName* and *DefaultPassword* aren't there, add them as **New** > **String Value**.
+ > If *DefaultUserName* and *DefaultPassword* aren't there, add them as **New** > **String Value**.
- *DefaultDomainName*: set value for domain, only for domain accounts. For local accounts, do not add this key.
@@ -104,150 +261,56 @@ In addition to the settings in the table, you may want to set up **automatic log
The following table describes some features that have interoperability issues we recommend that you consider when running assigned access.
-> [!Note]
-> Where applicable, the table notes which features are optional that you can configure for assigned access.
+- **Accessibility**: Assigned access does not change Ease of Access settings. We recommend that you use [Keyboard Filter](/windows-hardware/customize/enterprise/keyboardfilter) to block the following key combinations that bring up accessibility features:
-
-
+ | Key combination | Blocked behavior |
+ | --- | --- |
+ | Left Alt + Left Shift + Print Screen | Open High Contrast dialog box. |
+ | Left Alt + Left Shift + Num Lock | Open Mouse Keys dialog box. |
+ | Windows logo key + U | Open Ease of Access Center. |
+- **Assigned access Windows PowerShell cmdlets**: In addition to using the Windows UI, you can use the Windows PowerShell cmdlets to set or clear assigned access. For more information, see [Assigned access Windows PowerShell reference](/powershell/module/assignedaccess/)
-
+- **Key sequences blocked by assigned access**: When in assigned access, some key combinations are blocked for assigned access users.
+
+ Alt + F4, Alt + Shift + Tab, Alt + Tab are not blocked by Assigned Access, it's recommended you use [Keyboard Filter](/windows-hardware/customize/enterprise/keyboardfilter) to block these key combinations.
+
+ Ctrl + Alt + Delete is the key to break out of Assigned Access. If needed, you can use Keyboard Filter to configure a different key combination to break out of assigned access by setting BreakoutKeyScanCode as described in [WEKF_Settings](/windows-hardware/customize/enterprise/wekf-settings).
+
+ | Key combination | Blocked behavior for assigned access users |
+ | --- | --- |
+ | Alt + Esc | Cycle through items in the reverse order from which they were opened. |
+ | Ctrl + Alt + Esc | Cycle through items in the reverse order from which they were opened. |
+ | Ctrl + Esc | Open the Start screen. |
+ | Ctrl + F4 | Close the window. |
+ | Ctrl + Shift + Esc | Open Task Manager. |
+ | Ctrl + Tab | Switch windows within the application currently open. |
+ | LaunchApp1 | Open the app that is assigned to this key. |
+ | LaunchApp2 | Open the app that is assigned to this key, which on many Microsoft keyboards is Calculator. |
+ | LaunchMail | Open the default mail client. |
+ | Windows logo key | Open the Start screen. |
+
+ Keyboard Filter settings apply to other standard accounts.
+
+- **Key sequences blocked by [Keyboard Filter](/windows-hardware/customize/enterprise/keyboardfilter)**: If Keyboard Filter is turned ON, then some key combinations are blocked automatically without you having to explicitly block them. For more information, see the [Keyboard Filter](/windows-hardware/customize/enterprise/keyboardfilter).
+
+ [Keyboard Filter](/windows-hardware/customize/enterprise/keyboardfilter) is only available on Windows client Enterprise or Education.
+
+- **Power button**: Customizations for the Power button complement assigned access, letting you implement features such as removing the power button from the Welcome screen. Removing the power button ensures the user cannot turn off the device when it's in assigned access.
+
+ For more information on removing the power button or disabling the physical power button, see [Custom Logon](/windows-hardware/customize/enterprise/custom-logon).
+
+- **Unified Write Filter (UWF)**: UWFsettings apply to all users, including users with assigned access.
+
+ For more information, see [Unified Write Filter](/windows-hardware/customize/enterprise/unified-write-filter).
+
+- **WEDL_AssignedAccess class**: You can use this class to configure and manage basic lockdown features for assigned access. It's recommended to you use the Windows PowerShell cmdlets instead.
+
+ If you need to use assigned access API, see [WEDL_AssignedAccess](/windows-hardware/customize/enterprise/wedl-assignedaccess).
+
+- **Welcome Screen**: Customizations for the Welcome screen let you personalize not only how the Welcome screen looks, but for how it functions. You can disable the power or language button, or remove all user interface elements. There are many options to make the Welcome screen your own.
+
+ For more information, see [Custom Logon](/windows-hardware/customize/enterprise/custom-logon).
## Testing your kiosk in a virtual machine (VM)
@@ -257,8 +320,8 @@ A single-app kiosk configuration runs an app above the lock screen. It doesn't w
When you connect to a VM configured as a single-app kiosk, you need a *basic* session rather than an enhanced session. In the following image, notice that **Enhanced session** is not selected in the **View** menu; that means it's a basic session.
-
+:::image type="content" source="images/vm-kiosk.png" alt-text="Use a basic session to connect a virtual machine. In the View menu, Extended session isn't selected, which means basic is used.":::
-To connect to a VM in a basic session, do not select **Connect** in the connection dialog, as shown in the following image, but instead, select the **X** button in the upper-right corner to cancel the dialog.
+To connect to a VM in a basic session, don't select **Connect** in the connection dialog, as shown in the following image, but instead, select the **X** button in the upper-right corner to cancel the dialog:
-
\ No newline at end of file
+:::image type="content" source="images/vm-kiosk-connect.png" alt-text="Don't select the connect button. Use the close X in the top corner to connect to a VM in basic session.":::
diff --git a/windows/configuration/kiosk-shelllauncher.md b/windows/configuration/kiosk-shelllauncher.md
index 73e724bd75..3b720d1bbe 100644
--- a/windows/configuration/kiosk-shelllauncher.md
+++ b/windows/configuration/kiosk-shelllauncher.md
@@ -1,8 +1,8 @@
---
-title: Use Shell Launcher to create a Windows 10 kiosk (Windows 10)
+title: Use Shell Launcher to create a Windows 10/11 kiosk (Windows 10/11)
description: Shell Launcher lets you change the default shell that launches when a user signs in to a device.
ms.assetid: 428680AE-A05F-43ED-BD59-088024D1BFCC
-ms.reviewer:
+ms.reviewer: sybruckm
manager: dansimp
ms.author: greglin
keywords: ["assigned access", "kiosk", "lockdown", "digital sign", "digital signage"]
@@ -14,13 +14,14 @@ ms.localizationpriority: medium
ms.topic: article
---
-# Use Shell Launcher to create a Windows 10 kiosk
+# Use Shell Launcher to create a Windows client kiosk
**Applies to**
- Windows 10 Ent, Edu
+- Windows 11
-Using Shell Launcher, you can configure a device that runs an application as the user interface, replacing the default shell (explorer.exe). In **Shell Launcher v1**, available in Windows 10, you can only specify a Windows desktop application as the replacement shell. In **Shell Launcher v2**, available in Windows 10, version 1809 and above, you can also specify a UWP app as the replacement shell. To use **Shell Launcher v2** in version 1809, you need to install the [KB4551853](https://support.microsoft.com/help/4551853) update.
+Using Shell Launcher, you can configure a device that runs an application as the user interface, replacing the default shell (explorer.exe). In **Shell Launcher v1**, available in Windows client, you can only specify a Windows desktop application as the replacement shell. In **Shell Launcher v2**, available in Windows 10 version 1809+ / Windows 11, you can also specify a UWP app as the replacement shell. To use **Shell Launcher v2** in Windows 10 version 1809, you need to install the [KB4551853](https://support.microsoft.com/help/4551853) update.
>[!NOTE]
>Shell Launcher controls which application the user sees as the shell after sign-in. It does not prevent the user from accessing other desktop applications and system components.
@@ -30,7 +31,7 @@ Using Shell Launcher, you can configure a device that runs an application as the
>- [AppLocker](/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-overview) - Application control policies
>- [Mobile Device Management](/windows/client-management/mdm) - Enterprise management of device security policies
-You can apply a custom shell through Shell Launcher [by using PowerShell](#configure-a-custom-shell-using-powershell). In Windows 10, version 1803 and later, you can also [use mobile device management (MDM)](#configure-a-custom-shell-in-mdm) to apply a custom shell through Shell Launcher.
+You can apply a custom shell through Shell Launcher [by using PowerShell](#configure-a-custom-shell-using-powershell). Starting with Windows 10 version 1803+, you can also [use mobile device management (MDM)](#configure-a-custom-shell-in-mdm) to apply a custom shell through Shell Launcher.
## Differences between Shell Launcher v1 and Shell Launcher v2
@@ -292,7 +293,7 @@ Value|Description
These action can be used as default action, or can be mapped to a specific exit code. Refer to [Shell Launcher](/windows-hardware/customize/enterprise/wesl-usersettingsetcustomshell) to see how these codes with Shell Launcher WMI.
-To configure these action with Shell Launcher CSP, use below syntax in the shell launcher configuration xml. You can specify at most 4 custom actions mapping to 4 exit codes, and one default action for all other exit codes. When app exits and if the exit code is not found in the custom action mapping, or there is no default action defined, it will be no-op, i.e. nothing happens. So it's recommeded to at least define DefaultAction. [Get XML examples for different Shell Launcher v2 configurations.](https://github.com/Microsoft/Windows-iotcore-samples/tree/develop/Samples/ShellLauncherV2)
+To configure these action with Shell Launcher CSP, use below syntax in the shell launcher configuration xml. You can specify at most 4 custom actions mapping to 4 exit codes, and one default action for all other exit codes. When app exits and if the exit code is not found in the custom action mapping, or there is no default action defined, it will be no-op, i.e. nothing happens. So it's recommended to at least define DefaultAction. [Get XML examples for different Shell Launcher v2 configurations.](https://github.com/Microsoft/Windows-iotcore-samples/tree/develop/Samples/ShellLauncherV2)
``` xml
-
-
-
-Feature
-Description
-
-
-
-
-
-
-
-
-Key combination
-Blocked behavior
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-Key combination
-Blocked behavior for assigned access users
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
-
This method is supported on Windows 10 Pro, Enterprise, and Education.
-[PowerShell](#powershell) | You can use Windows PowerShell cmdlets to set up a single-app kiosk. First, you need to [create the user account](https://support.microsoft.com/help/4026923/windows-create-a-local-user-or-administrator-account-in-windows-10) on the device and install the kiosk app for that account.
This method is supported on Windows 10 Pro, Enterprise, and Education.
-[The kiosk wizard in Windows Configuration Designer](#wizard) | Windows Configuration Designer is a tool that produces a *provisioning package*, which is a package of configuration settings that can be applied to one or more devices during the first-run experience (OOBE) or after OOBE is done (runtime). You can also create the kiosk user account and install the kiosk app, as well as other useful settings, using the kiosk wizard.
This method is supported on Windows 10 Pro (version 1709 and later), Enterprise, and Education.
-[Microsoft Intune or other mobile device management (MDM) provider](#mdm) | For managed devices, you can use MDM to set up a kiosk configuration.
This method is supported on Windows 10 Pro (version 1709 and later), Enterprise, and Education.
+- [Locally, in Settings](#local): The **Set up a kiosk** (previously named **Set up assigned access**) option in **Settings** is a quick and easy method to set up a single device as a kiosk for a local standard user account.
+ This option supports:
->[!TIP]
->You can also configure a kiosk account and app for single-app kiosk within [XML in a provisioning package](lock-down-windows-10-to-specific-apps.md) by using a [kiosk profile](lock-down-windows-10-to-specific-apps.md#profile).
+ - Windows 10 Pro, Enterprise, and Education
+ - Windows 11
+
+- [PowerShell](#powershell): You can use Windows PowerShell cmdlets to set up a single-app kiosk. First, you need to [create the user account](https://support.microsoft.com/help/4026923/windows-create-a-local-user-or-administrator-account-in-windows-10) on the device and install the kiosk app for that account.
+
+ This option supports:
+
+ - Windows 10 Pro, Enterprise, and Education
+ - Windows 11
+
+- [The kiosk wizard in Windows Configuration Designer](#wizard): Windows Configuration Designer is a tool that produces a *provisioning package*. A provisioning package includes configuration settings that can be applied to one or more devices during the first-run experience (OOBE), or after OOBE is done (runtime). Using the kiosk wizard, you can also create the kiosk user account, install the kiosk app, and configure more useful settings.
+
+ This option supports:
+
+ - Windows 10 Pro version 1709+, Enterprise, and Education
+ - Windows 11
+
+- [Microsoft Intune or other mobile device management (MDM) provider](#mdm): For devices managed by your organization, you can use MDM to set up a kiosk configuration.
+
+ This option supports:
+
+ - Windows 10 Pro version 1709+, Enterprise, and Education
+ - Windows 11
+
+> [!TIP]
+> You can also configure a kiosk account and app for single-app kiosk within [XML in a provisioning package](lock-down-windows-10-to-specific-apps.md) by using a [kiosk profile](lock-down-windows-10-to-specific-apps.md#profile).
>
->Be sure to check the [configuration recommendations](kiosk-prepare.md) before you set up your kiosk.
-
+> Be sure to check the [configuration recommendations](kiosk-prepare.md) before you set up your kiosk.
## Set up a kiosk in local Settings
->App type: UWP
+>App type:
+> - UWP
>
->OS edition: Windows 10 Pro, Ent, Edu
+>OS:
+> - Windows 10 Pro, Ent, Edu
+> - Windows 11
>
->Account type: Local standard user
+>Account type:
+> - Local standard user
You can use **Settings** to quickly configure one or a few devices as a kiosk.
-When your kiosk is a local device that is not managed by Active Directory or Azure Active Directory, there is a default setting that enables automatic sign-in after a restart. That means that when the device restarts, the last signed-in user will be signed in automatically. If the last signed-in user is the kiosk account, the kiosk app will be launched automatically after the device restarts.
+When your kiosk is a local device that isn't managed by Active Directory or Azure Active Directory, there is a default setting that enables automatic sign-in after a restart. That means that when the device restarts, the last signed-in user will be signed in automatically. If the last signed-in user is the kiosk account, the kiosk app will be launched automatically after the device restarts.
-- If you want the kiosk account signed in automatically and the kiosk app launched when the device restarts, there is nothing you need to do.
+- If you want the kiosk account to sign in automatically, and the kiosk app launched when the device restarts, then you don't need to do anything.
-- If you do not want the kiosk account signed in automatically when the device restarts, you must change the default setting before you configure the device as a kiosk. Sign in with the account that you will assign as the kiosk account, go to **Settings** > **Accounts** > **Sign-in options**, and toggle the **Use my sign-in info to automatically finish setting up my device after an update or restart** setting to **Off**. After you change the setting, you can apply the kiosk configuration to the device.
+- If you don't want the kiosk account to sign in automatically when the device restarts, then you must change the default setting before you configure the device as a kiosk. Sign in with the account that you will assign as the kiosk account. Open the **Settings** app > **Accounts** > **Sign-in options**. Set the **Use my sign-in info to automatically finish setting up my device after an update or restart** setting to **Off**. After you change the setting, you can apply the kiosk configuration to the device.
-
+ 
-### Instructions for Windows 10, version 1809
+### Windows 10 version 1809+ / Windows 11
-When you set up a kiosk (also known as *assigned access*) in **Settings** for Windows 10, version 1809, you create the kiosk user account at the same time.
+When you set up a kiosk (also known as *assigned access*) in **Settings** for Windows client, you create the kiosk user account at the same time. To set up assigned access in PC settings:
-**To set up assigned access in PC settings**
-
-1. Go to **Start** > **Settings** > **Accounts** > **Other users**.
+1. Open the **Settings** app > **Accounts**. Select **Other users** or **Family and other users**.
2. Select **Set up a kiosk > Assigned access**, and then select **Get started**.
@@ -94,15 +115,15 @@ When you set up a kiosk (also known as *assigned access*) in **Settings** for Wi
To remove assigned access, select the account tile on the **Set up a kiosk** page, and then select **Remove kiosk**.
-### Instructions for Windows 10, version 1803 and earlier
+### Windows 10 version 1803 and earlier
-When you set up a kiosk (also known as *assigned access*) in **Settings** for Windows 10, version 1803 and earlier, you must select an existing local standard user account. [Learn how to create a local standard user account.](https://support.microsoft.com/help/4026923/windows-create-a-local-user-or-administrator-account-in-windows-10)
+When you set up a kiosk (also known as *assigned access*) in **Settings** for Windows 10 version 1803 and earlier, you must select an existing local standard user account. [Learn how to create a local standard user account.](https://support.microsoft.com/help/4026923/windows-create-a-local-user-or-administrator-account-in-windows-10)
**To set up assigned access in PC settings**
-1. Go to **Start** > **Settings** > **Accounts** > **Other people**.
+1. Go to **Start** > **Settings** > **Accounts** > **Other people**.
2. Select **Set up assigned access**.
@@ -110,26 +131,24 @@ When you set up a kiosk (also known as *assigned access*) in **Settings** for Wi
4. Choose an app. Only apps that can run above the lock screen will be available in the list of apps to choose from. For more information, see [Guidelines for choosing an app for assigned access](guidelines-for-assigned-access-app.md).
-5. Close **Settings** – your choices are saved automatically, and will be applied the next time that user account logs on.
+5. Close **Settings** – your choices are saved automatically, and will be applied the next time that user account signs in.
To remove assigned access, choose **Turn off assigned access and sign out of the selected account**.
-
-
-
-
-
-
## Set up a kiosk using Windows PowerShell
->App type: UWP
+>App type:
+> - UWP
>
->OS edition: Windows 10 Pro, Ent, Edu
+>OS:
+> - Windows 10 Pro, Ent, Edu
+> - Windows 11
>
->Account type: Local standard user
+>Account type:
+> - Local standard user
@@ -137,59 +156,49 @@ You can use any of the following PowerShell cmdlets to set up assigned access on
Before you run the cmdlet:
-1. Log in as administrator.
+1. Sign in as administrator.
2. [Create the user account](https://support.microsoft.com/help/4026923/windows-create-a-local-user-or-administrator-account-in-windows-10) for Assigned Access.
-3. Log in as the Assigned Access user account.
+3. Sign in as the Assigned Access user account.
4. Install the Universal Windows app that follows the assigned access/above the lock guidelines.
-5. Log out as the Assigned Access user account.
-6. Log in as administrator.
+5. Sign out as the Assigned Access user account.
+6. Sign in as administrator.
-To open PowerShell on Windows 10, search for PowerShell and find **Windows PowerShell Desktop app** in the results. Run PowerShell as administrator.
+To open PowerShell on Windows client, search for PowerShell, and find **Windows PowerShell Desktop app** in the results. Run PowerShell as administrator.
-**Configure assigned access by AppUserModelID and user name**
-
-```
-Set-AssignedAccess -AppUserModelId
-
+ - **Device name**: Required. Enter a unique 15-character name for the device. You can use variables to add unique characters to the name, such as `Contoso-%SERIAL%` and `Contoso-%RAND:5%`.
+ - **Enter product key**: Optional. Select a license file to upgrade Windows client to a different edition. For more information, see [the permitted upgrades](/windows/deployment/upgrade/windows-10-edition-upgrades).
+ - **Configure devices for shared use**: This setting optimizes Windows client for shared use scenarios, and isn't necessary for a kiosk scenario. Set this value to **No**, which may be the default.
+ - **Remove pre-installed software**: Optional. Select **Yes** if you want to remove preinstalled software.
+2. Set up the network:
+
+ :::image type="content" source="images/set-up-network-details.png" alt-text="In Windows Configuration Designer, turn on wireless connectivity, enter the network SSID, and network type.":::
+
+ If you want to enable network setup, select **Set up network**, and configure the following settings:
+
+ - **Set up network**: To enable wireless connectivity, select **On**.
+ - **Network SSID**: Enter the Service Set Identifier (SSID) of the network.
+ - **Network type**: Select **Open** or **WPA2-Personal**. If you select **WPA2-Personal**, enter the password for the wireless network.
+
+3. Enable account management:
+
+ :::image type="content" source="images/account-management-details.png" alt-text="In Windows Configuration Designer, join Active Directory, Azure AD, or create a local admin account.":::
+
+ If you want to enable account management, select **Account Management**, and configure the following settings:
+
+ - **Manage organization/school accounts**: Choose how devices are enrolled. Your options:
+ - **Active Directory**: Enter the credentials for a least-privileged user account to join the device to the domain.
+ - **Azure Active Directory**: Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, [set up Azure AD join in your organization](/azure/active-directory/active-directory-azureadjoin-setup). In your Azure AD tenant, the **maximum number of devices per user** setting determines how many times the bulk token in the wizard can be used.
+
+ If you select this option, enter a friendly name for the bulk token you get using the wizard. Set an expiration date for the token. The maximum is 180 days from the date you get the token. Select **Get bulk token**. In **Let's get you signed in**, enter an account that has permissions to join a device to Azure AD, and then the password. Select **Accept** to give Windows Configuration Designer the necessary permissions.
+
+ You must run Windows Configuration Designer on Windows client to configure Azure AD enrollment using any of the wizards.
+
+ - **Local administrator**: If you select this option, enter a user name and password. If you create a local account in the provisioning package, you must change the password using the **Settings** app every 42 days. If the password isn't changed during that period, the account might be locked out, and unable to sign in.
+
+4. Add applications:
+
+ :::image type="content" source="images/add-applications-details.png" alt-text="In Windows Configuration Designer, add an application that will run in kiosk mode.":::
+
+ To add applications to the devices, select **Add applications**. You can install multiple applications in a provisioning package, including Windows desktop applications (Win32) and Universal Windows Platform (UWP) apps. The settings in this step vary depending on the application you select. For help with the settings, see [Provision PCs with apps](provisioning-packages/provision-pcs-with-apps.md).
+
+ > [!WARNING]
+ > If you select the plus button to add an application, you must enter an application for the provisioning package to validate. If you select the plus button by mistake, then:
+ >
+ > 1. In **Installer Path**, select any executable file.
+ > 2. When the **Cancel** button shows, select it.
+ >
+ > These steps let you complete the provisioning package without adding an application.
+
+5. Add certificates:
+
+ :::image type="content" source="images/add-certificates-details.png" alt-text="In Windows Configuration Designer, add a certificate.":::
+
+ To add a certificate to the devices, select **Add certificates**, and configure the following settings:
+
+ - **Certificate name**: Enter a name for the certificate.
+ - **Certificate path**: Browse and select the certificate you want to add.
+
+6. Configure the kiosk account, and the kiosk mode app:
+
+ :::image type="content" source="images/kiosk-account-details.png" alt-text="In Windows Configuration Designer, the Configure kiosk common settings button is shown when provisioning a kiosk device.":::
+
+ To add the account that runs the app and choose the app type, select **Configure kiosk account and app**, and configure the following settings:
+
+ - **Create a local standard user account to run the kiosk mode app**: Select **Yes** to create a local standard user account, and enter the **User name** and **Password**. This user account runs the app. If you select **No**, make sure you have an existing user account to run the kiosk app.
+ - **Auto sign-in**: Select **Yes** to automatically sign in the account when the device starts. **No** doesn't automatically sign in the account. If there are issues with auto sign-in after you apply the provisioning package, then check the Event Viewer logs for auto logon issues (`Applications and Services Logs\Microsoft\Windows\Authentication User Interface\Operational`).
+ - **Configure the kiosk mode app**: Enter the **User name** of the account that will run the kiosk mode app. In **App type**, select the type of app to run. Your options:
+ - **Windows desktop application**: Enter the path or filename. If the file path is in the PATH environment variable, then you can use the filename. Otherwise, the full path is required.
+ - **Universal Windows app**: Enter the AUMID.
+
+7. Configure kiosk common settings:
+
+ :::image type="content" source="images/kiosk-common-details.png" alt-text="In Windows Configuration Designer, set tablet mode, configure the welcome and shutdown screens, and turn off the power timeout settings.":::
+
+ To configure the tablet mode, configure welcome and shutdown screens, and set the power settings, select **Configure kiosk common settings**, and configure the following settings:
+
+ - **Set tablet mode**
+ - **Customize user experience**
+ - **Configure power settings**
+
+8. Finish:
+
+ :::image type="content" source="images/finish-details.png" alt-text="In Windows Configuration Designer, protect your package with a password.":::
+
+ To complete the wizard, select **Finish**, and configure the following setting:
+
+ - **Protect your package**: Select **Yes** to password protect your provisioning package. When you apply the provisioning package to a device, you must enter this password.
>[!NOTE]
->If you want to use [the advanced editor in Windows Configuration Designer](provisioning-packages/provisioning-create-package.md#configure-settings), specify the user account and app (by AUMID) in **Runtime settings** > **AssignedAccess** > **AssignedAccessSettings**
+>If you want to use [the advanced editor in Windows Configuration Designer](provisioning-packages/provisioning-create-package.md#configure-settings), specify the user account and app (by AUMID) in **Runtime settings** > **AssignedAccess** > **AssignedAccessSettings**
>[!IMPORTANT]
>When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed.
-
-
-
[Learn how to apply a provisioning package.](provisioning-packages/provisioning-apply-package.md)
-
-
-
-
-
-
-
## Set up a kiosk or digital sign using Microsoft Intune or other MDM service
->App type: UWP
+>App type:
+> - UWP
>
->OS edition: Windows 10 Pro (version 1709), Ent, Edu
+>OS:
+> - Windows 10 Pro version 1709+, Ent, Edu
+> - Windows 11
>
->Account type: Local standard user, Azure AD
-
-
+>Account type:
+> - Local standard user
+> - Azure AD
Microsoft Intune and other MDM services enable kiosk configuration through the [AssignedAccess configuration service provider (CSP)](/windows/client-management/mdm/assignedaccess-csp). Assigned Access has a `KioskModeApp` setting. In the `KioskModeApp` setting, you enter the user account name and the [AUMID](/windows-hardware/customize/enterprise/find-the-application-user-model-id-of-an-installed-app) for the app to run in kiosk mode.
>[!TIP]
->Starting in Windows 10, version 1803, a ShellLauncher node has been added to the [AssignedAccess CSP](/windows/client-management/mdm/assignedaccess-csp).
+>A ShellLauncher node has been added to the [AssignedAccess CSP](/windows/client-management/mdm/assignedaccess-csp).
-To configure a kiosk in Microsoft Intune, see [Windows 10 and Windows Holographic for Business device settings to run as a dedicated kiosk using Intune](/intune/kiosk-settings). For other MDM services, see the documentation for your provider.
+To configure a kiosk in Microsoft Intune, see [Windows client and Windows Holographic for Business device settings to run as a dedicated kiosk using Intune](/intune/kiosk-settings). For other MDM services, see the documentation for your provider.
## Sign out of assigned access
-To exit the assigned access (kiosk) app, press **Ctrl + Alt + Del**, and then sign in using another account. When you press **Ctrl + Alt + Del** to sign out of assigned access, the kiosk app will exit automatically. If you sign in again as the assigned access account or wait for the login screen timeout, the kiosk app will be re-launched. The assigned access user will remain signed in until an admin account opens **Task Manager** > **Users** and signs out the user account.
+To exit the assigned access (kiosk) app, press **Ctrl + Alt + Del**, and then sign in using another account. When you press **Ctrl + Alt + Del** to sign out of assigned access, the kiosk app will exit automatically. If you sign in again as the assigned access account or wait for the sign in screen timeout, the kiosk app relaunches. The assigned access user will remain signed in until an admin account opens **Task Manager** > **Users** and signs out the user account.
If you press **Ctrl + Alt + Del** and do not sign in to another account, after a set time, assigned access will resume. The default time is 30 seconds, but you can change that in the following registry key:
-**HKEY\_LOCAL\_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI**
+`HKEY\_LOCAL\_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI`
To change the default time for assigned access to resume, add *IdleTimeOut* (DWORD) and enter the value data as milliseconds in hexadecimal.
-
diff --git a/windows/configuration/kiosk-troubleshoot.md b/windows/configuration/kiosk-troubleshoot.md
index e34bee8204..83bba68ec0 100644
--- a/windows/configuration/kiosk-troubleshoot.md
+++ b/windows/configuration/kiosk-troubleshoot.md
@@ -1,8 +1,8 @@
---
-title: Troubleshoot kiosk mode issues (Windows 10)
+title: Troubleshoot kiosk mode issues (Windows 10/11)
description: Learn how to troubleshoot single-app and multi-app kiosk configurations, as well as common problems like sign-in issues.
ms.assetid: 14DDDC96-88C7-4181-8415-B371F25726C8
-ms.reviewer:
+ms.reviewer: sybruckm
manager: dansimp
keywords: ["lockdown", "app restrictions"]
ms.prod: w10
@@ -20,12 +20,13 @@ ms.topic: article
**Applies to**
-- Windows 10
+- Windows 10
+- Windows 11
## Single-app kiosk issues
>[!TIP]
->We recommend that you [enable logging for kiosk issues](kiosk-prepare.md#enable-logging). For some failures, events are only captured once. If you enable logging after an issue occurs with your kiosk, the logs may not capture those one-time events. In that case, prepare a new kiosk environment (such as a [virtual machine (VM)](kiosk-prepare.md#test-vm)), set up your kiosk account and configuration, and try to reproduce the problem.
+>We recommend that you [enable logging for kiosk issues](kiosk-prepare.md#enable-logging). For some failures, events are only captured once. If you enable logging after an issue occurs with your kiosk, the logs may not capture those one-time events. In that case, prepare a new kiosk environment (such as a [virtual machine (VM)](kiosk-prepare.md#testing-your-kiosk-in-a-virtual-machine-vm)), set up your kiosk account and configuration, and try to reproduce the problem.
### Sign-in issues
@@ -38,6 +39,9 @@ Check the Event Viewer logs for auto logon issues under **Applications and Servi
## Multi-app kiosk issues
+> [!NOTE]
+> [!INCLUDE [Multi-app kiosk mode not supported on Windows 11](./includes/multi-app-kiosk-support-windows11.md)]
+
### Unexpected results
For example:
diff --git a/windows/configuration/kiosk-validate.md b/windows/configuration/kiosk-validate.md
index 13ba945753..a43d130016 100644
--- a/windows/configuration/kiosk-validate.md
+++ b/windows/configuration/kiosk-validate.md
@@ -1,8 +1,8 @@
---
-title: Validate kiosk configuration (Windows 10)
-description: In this article, learn what to expect on a multi-app kiosk in Windows 10 Pro, Enterprise, and Education.
+title: Validate kiosk configuration (Windows 10/11)
+description: In this article, learn what to expect on a multi-app kiosk in Windows 10/11 Pro, Enterprise, and Education.
ms.assetid: 428680AE-A05F-43ED-BD59-088024D1BFCC
-ms.reviewer:
+ms.reviewer: sybruckm
manager: dansimp
ms.author: greglin
keywords: ["assigned access", "kiosk", "lockdown", "digital sign", "digital signage"]
@@ -11,7 +11,6 @@ ms.mktglfcycl: manage
ms.sitesec: library
author: greg-lindsay
ms.localizationpriority: medium
-ms.date: 07/30/2018
ms.topic: article
---
@@ -20,7 +19,8 @@ ms.topic: article
**Applies to**
-- Windows 10 Pro, Enterprise, and Education
+- Windows 10 Pro, Enterprise, and Education
+- Windows 11
To identify the provisioning packages applied to a device, go to **Settings** > **Accounts** > **Access work or school**, and then click **Add or remove a provisioning package**. You should see a list of packages that were applied to the device.
diff --git a/windows/configuration/kiosk-xml.md b/windows/configuration/kiosk-xml.md
index 36dd8ce054..5ffdb783e5 100644
--- a/windows/configuration/kiosk-xml.md
+++ b/windows/configuration/kiosk-xml.md
@@ -1,8 +1,8 @@
---
-title: Assigned Access configuration kiosk XML reference (Windows 10)
-description: Learn about the assigned access configuration (kiosk) for XML and XSD for kiosk device configuration in Windows 10.
+title: Assigned Access configuration kiosk XML reference (Windows 10/11)
+description: Learn about the assigned access configuration (kiosk) for XML and XSD for kiosk device configuration in Windows 10/11.
ms.assetid: 14DDDC96-88C7-4181-8415-B371F25726C8
-ms.reviewer:
+ms.reviewer: sybruckm
manager: dansimp
keywords: ["lockdown", "app restrictions", "applocker"]
ms.prod: w10
@@ -11,7 +11,6 @@ ms.sitesec: library
ms.pagetype: edu, security
author: greg-lindsay
ms.localizationpriority: medium
-ms.date: 10/02/2018
ms.author: greglin
ms.topic: article
---
@@ -21,7 +20,8 @@ ms.topic: article
**Applies to**
-- Windows 10
+- Windows 10
+- Windows 11
## Full XML sample
@@ -255,9 +255,16 @@ This sample demonstrates that both UWP and Win32 apps can be configured to autom
```
## Global Profile Sample XML
-Global Profile is currently supported in Windows 10, version 2004. Global Profile is designed for scenarios where a user does not have a designated profile, yet IT Admin still wants the user to run in lockdown mode, or used as mitigation when a profile cannot be determined for a user.
-This sample demonstrates that only a global profile is used, no active user configured. Global profile will be applied when every non-admin account logs in
+Global Profile is supported on:
+
+- Windows 10 version 2004+
+- Windows 11
+
+Global Profile is designed for scenarios where a user does not have a designated profile, yet IT Admin still wants the user to run in lockdown mode, or used as mitigation when a profile cannot be determined for a user.
+
+This sample demonstrates that only a global profile is used, no active user configured. Global profile will be applied when every non-admin account logs in.
+
```xml
Enable device setup if you want to configure settings on this page.If enabled:Enter a name for the device.(Optional) Select a license file to upgrade Windows 10 to a different edition. See the permitted upgrades.Toggle Configure devices for shared use off. This setting optimizes Windows 10 for shared use scenarios and isn't necessary for a kiosk scenario.You can also select to remove pre-installed software from the device. 
Enable network setup if you want to configure settings on this page.If enabled:Toggle On or Off for wireless network connectivity. If you select On, enter the SSID, the network type (Open or WPA2-Personal), and (if WPA2-Personal) the password for the wireless network.
Enable account management if you want to configure settings on this page. If enabled:You can enroll the device in Active Directory, enroll in Azure Active Directory, or create a local administrator account on the deviceTo enroll the device in Active Directory, enter the credentials for a least-privileged user account to join the device to the domain.Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, set up Azure AD join in your organization. The maximum number of devices per user setting in your Azure AD tenant determines how many times the bulk token that you get in the wizard can be used. To enroll the device in Azure AD, select that option and enter a friendly name for the bulk token you will get using the wizard. Set an expiration date for the token (maximum is 180 days from the date you get the token). Click Get bulk token. In the Let's get you signed in window, enter an account that has permissions to join a device to Azure AD, and then the password. Click Accept to give Windows Configuration Designer the necessary permissions.Warning: You must run Windows Configuration Designer on Windows 10 to configure Azure Active Directory enrollment using any of the wizards.To create a local administrator account, select that option and enter a user name and password. Important: If you create a local account in the provisioning package, you must change the password using the Settings app every 42 days. If the password is not changed during that period, the account might be locked out and unable to sign in. 
You can provision the kiosk app in the Add applications step. You can install multiple applications, both Windows desktop applications (Win32) and Universal Windows Platform (UWP) apps, in a provisioning package. The settings in this step vary according to the application that you select. For help with the settings, see Provision PCs with appsWarning: If you click the plus button to add an application, you must specify an application for the provisioning package to validate. If you click the plus button in error, select any executable file in Installer Path, and then a Cancel button becomes available, allowing you to complete the provisioning package without an application. 
To provision the device with a certificate for the kiosk app, click Add a certificate. Enter a name for the certificate, and then browse to and select the certificate to be used.
You can create a local standard user account that will be used to run the kiosk app. If you toggle No, make sure that you have an existing user account to run the kiosk app.If you want to create an account, enter the user name and password, and then toggle Yes or No to automatically sign in the account when the device starts. (If you encounter issues with auto sign-in after you apply the provisioning package, check the Event Viewer logs for auto logon issues under Applications and Services Logs\Microsoft\Windows\Authentication User Interface\Operational.)In Configure the kiosk mode app, enter the name of the user account that will run the kiosk mode app. Select the type of app to run in kiosk mode, and then enter the path or filename (for a Windows desktop application) or the AUMID (for a Universal Windows app). For a Windows desktop application, you can use the filename if the path to the file is in the PATH environment variable, otherwise the full path is required.
On this step, select your options for tablet mode, the user experience on the Welcome and shutdown screens, and the timeout settings.
You can set a password to protect your provisioning package. You must enter this password when you apply the provisioning package to a device.
- Assign [group accounts to a config profile](#config-for-group-accounts)
- Configure [an account to sign in automatically](#config-for-autologon-account) | Windows 10, version 1803 |
+| New features and improvements | In update |
+| --- | ---|
+| - Configure [a single-app kiosk profile](#profile) in your XML file
- Assign [group accounts to a config profile](#config-for-group-accounts)
- Configure [an account to sign in automatically](#config-for-autologon-account) | Windows 10, version 1803 |
| - Explicitly allow [some known folders when user opens file dialog box](#fileexplorernamespacerestrictions)
- [Automatically launch an app](#allowedapps) when the user signs in
- Configure a [display name for the autologon account](#config-for-autologon-account) | Windows 10, version 1809
**Important:** To use features released in Windows 10, version 1809, make sure that [your XML file](#create-xml-file) references `https://schemas.microsoft.com/AssignedAccess/201810/config`. |
>[!WARNING]
@@ -43,7 +45,10 @@ You can configure multi-app kiosks using [Microsoft Intune](#intune) or a [provi
## Configure a kiosk in Microsoft Intune
-To configure a kiosk in Microsoft Intune, see [Windows 10 and Windows Holographic for Business device settings to run as a dedicated kiosk using Intune](/intune/kiosk-settings). For explanations of the specific settings, see [Windows 10 and later device settings to run as a kiosk in Intune](/intune/kiosk-settings-windows).
+To configure a kiosk in Microsoft Intune, see:
+
+- [Windows client and Windows Holographic for Business device settings to run as a dedicated kiosk using Intune](/intune/kiosk-settings)
+- [Windows client device settings to run as a kiosk in Intune](/intune/kiosk-settings-windows)
@@ -59,7 +64,7 @@ Watch how to use a provisioning package to configure a multi-app kiosk.
>[!VIDEO https://www.microsoft.com/videoplayer/embed/fa125d0f-77e4-4f64-b03e-d634a4926884?autoplay=false]
-If you don't want to use a provisioning package, you can deploy the configuration XML file using [mobile device management (MDM)](#alternate-methods) or you can configure assigned access using the [MDM Bridge WMI Provider](kiosk-mdm-bridge.md).
+If you don't want to use a provisioning package, you can deploy the configuration XML file using [mobile device management (MDM)](#use-mdm-to-deploy-the-multi-app-configuration), or you can configure assigned access using the [MDM Bridge WMI Provider](kiosk-mdm-bridge.md).
### Prerequisites
@@ -114,7 +119,7 @@ You can start your file by pasting the following XML (or any other examples in t
There are two types of profiles that you can specify in the XML:
- **Lockdown profile**: Users assigned a lockdown profile will see the desktop in tablet mode with the specific apps on the Start screen.
-- **Kiosk profile**: New in Windows 10, version 1803, this profile replaces the KioskModeApp node of the [AssignedAccess CSP](/windows/client-management/mdm/assignedaccess-csp). Users assigned a kiosk profile will not see the desktop, but only the kiosk app running in full-screen mode.
+- **Kiosk profile**: Starting with Windows 10 version 1803, this profile replaces the KioskModeApp node of the [AssignedAccess CSP](/windows/client-management/mdm/assignedaccess-csp). Users assigned a kiosk profile will not see the desktop, but only the kiosk app running in full-screen mode.
A lockdown profile section in the XML has the following entries:
@@ -146,7 +151,7 @@ The profile **Id** is a GUID attribute to uniquely identify the profile. You can
##### AllowedApps
-**AllowedApps** is a list of applications that are allowed to run. Apps can be Universal Windows Platform (UWP) apps or Windows desktop applications. In Windows 10, version 1809, you can configure a single app in the **AllowedApps** list to run automatically when the assigned access user account signs in.
+**AllowedApps** is a list of applications that are allowed to run. Apps can be Universal Windows Platform (UWP) apps or Windows desktop applications. Starting with Windows 10 version 1809, you can configure a single app in the **AllowedApps** list to run automatically when the assigned access user account signs in.
- For UWP apps, you need to provide the App User Model ID (AUMID). [Learn how to get the AUMID](./find-the-application-user-model-id-of-an-installed-app.md), or [get the AUMID from the Start Layout XML](#startlayout).
- For desktop apps, you need to specify the full path of the executable, which can contain one or more system environment variables in the form of %variableName% (i.e. %systemroot%, %windir%).
@@ -189,7 +194,7 @@ The following example allows Groove Music, Movies & TV, Photos, Weather, Calcula
##### FileExplorerNamespaceRestrictions
-Starting in Windows 10, version 1809, you can explicitly allow some known folders to be accessed when the user tries to open the file dialog box in multi-app assigned access by including **FileExplorerNamespaceRestrictions** in your XML file. Currently, **Downloads** is the only folder supported. This can also be set using Microsoft Intune.
+Starting in Windows 10 version 1809, you can explicitly allow some known folders to be accessed when the user tries to open the file dialog box in multi-app assigned access by including **FileExplorerNamespaceRestrictions** in your XML file. Currently, **Downloads** is the only folder supported. This can also be set using Microsoft Intune.
The following example shows how to allow user access to the Downloads folder in the common file dialog box.
@@ -231,7 +236,7 @@ FileExplorerNamespaceRestriction has been extended in current Windows 10 Prerele
After you define the list of allowed applications, you can customize the Start layout for your kiosk experience. You can choose to pin all the allowed apps on the Start screen or just a subset, depending on whether you want the end user to directly access them on the Start screen.
-The easiest way to create a customized Start layout to apply to other Windows 10 devices is to set up the Start screen on a test device and then export the layout. For detailed steps, see [Customize and export Start layout](customize-and-export-start-layout.md).
+The easiest way to create a customized Start layout to apply to other Windows client devices is to set up the Start screen on a test device and then export the layout. For detailed steps, see [Customize and export Start layout](customize-and-export-start-layout.md).
A few things to note here:
@@ -269,7 +274,7 @@ This example pins Groove Music, Movies & TV, Photos, Weather, Calculator, Paint,
```
>[!NOTE]
->If an app is not installed for the user but is included in the Start layout XML, the app will not be shown on the Start screen.
+>If an app isn't installed for the user, but is included in the Start layout XML, the app isn't shown on the Start screen.
@@ -333,7 +338,7 @@ The following example shows how to specify an account to sign in automatically.
```
-In Windows 10, version 1809, you can configure the display name that will be shown when the user signs in. The following example shows how to create an AutoLogon Account that shows the name "Hello World".
+Starting with Windows 10 version 1809, you can configure the display name that will be shown when the user signs in. The following example shows how to create an AutoLogon Account that shows the name "Hello World".
```xml
-
After you're done, click **Create**. It only takes a few seconds. When the package is built, the location where the package is stored is displayed as a hyperlink at the bottom of the page.
diff --git a/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md b/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md
index 38d6791423..65eac1c2a8 100644
--- a/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md
+++ b/windows/configuration/provisioning-packages/how-it-pros-can-use-configuration-service-providers.md
@@ -1,8 +1,8 @@
---
-title: Configuration service providers for IT pros (Windows 10)
+title: Configuration service providers for IT pros (Windows 10/11)
description: Describes how IT pros and system administrators can use configuration service providers (CSPs) to configure devices.
ms.assetid: 25C1FDCA-0E10-42A1-A368-984FFDB2B7B6
-ms.reviewer:
+ms.reviewer: gkomatsu
manager: dansimp
ms.prod: w10
ms.mktglfcycl: manage
@@ -11,34 +11,28 @@ author: greg-lindsay
ms.author: greglin
ms.topic: article
ms.localizationpriority: medium
-ms.date: 07/27/2017
---
# Configuration service providers for IT pros
**Applies to**
-- Windows 10
-- Windows 10 Mobile
+- Windows 10
+- Windows 11
-This article explains how IT pros and system administrators can take advantage of many settings available through configuration service providers (CSPs) to configure devices running Windows 10 and Windows 10 Mobile in their organizations. CSPs expose device configuration settings in Windows 10. The CSPs are used by mobile device management (MDM) service providers and are documented in the [Hardware Dev Center](/windows/client-management/mdm/configuration-service-provider-reference).
-
-> [!NOTE]
-> The information provided here about CSPs and CSP documentation also applies to Windows Mobile 5, Windows Mobile 6, Windows Phone 7, and Windows Phone 8, but links to current CSPs are for Windows 10 and Windows 10 Mobile.
-
- [See what's new for CSPs in Windows 10, version 1809.](/windows/client-management/mdm/new-in-windows-mdm-enrollment-management#whatsnew1809)
+This article explains how IT pros and system administrators can take advantage of many settings available through configuration service providers (CSPs) to configure devices running Windows client in their organizations. CSPs expose device configuration settings in Windows client. The CSPs are used by mobile device management (MDM) service providers and are documented in the [Hardware Dev Center](/windows/client-management/mdm/configuration-service-provider-reference).
## What is a CSP?
In the client operating system, a CSP is the interface between configuration settings that are specified in a provisioning document and configuration settings that are on the device. CSPs are similar to Group Policy client-side extensions in that they provide an interface to read, set, modify, or delete configuration settings for a given feature. Typically, these settings map to registry keys, files, or permissions. Some of these settings are configurable, and some are read-only.
-Starting with Windows Mobile 5.0, CSPs were used to manage Windows mobile devices. On the Windows 10 platform, the management approach for both desktop and mobile devices converges, taking advantage of the same CSPs to configure and manage all devices running Windows 10.
+On the Windows client platform, the management approach for desktop uses CSPs to configure and manage all devices running Windows client.
Each CSP provides access to specific settings. For example, the [Wi-Fi CSP](/windows/client-management/mdm/wifi-csp) contains the settings to create a Wi-Fi profile.
-CSPs are behind many of the management tasks and policies for Windows 10, both in Microsoft Intune and in non-Microsoft MDM service providers. For example, in Intune, the policy to allow search suggestions in the Microsoft Edge address bar uses **Browser/AllowSearchSuggestionsinAddressBar** in the [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider).
+CSPs are behind many of the management tasks and policies for Windows client, both in Microsoft Intune and in non-Microsoft MDM service providers. For example, in Intune, the policy to allow search suggestions in the Microsoft Edge address bar uses **Browser/AllowSearchSuggestionsinAddressBar** in the [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider).
-
+:::image type="content" source="../images/policytocsp.png" alt-text="How intune maps to CSP":::
CSPs receive configuration policies in the XML-based Synchronization Markup Language (SyncML) format, pushed from an MDM-compliant management server, such as Microsoft Intune. Traditional enterprise management systems, such as Microsoft Endpoint Configuration Manager, can also target CSPs, by using a client-side Windows Management Instrumentation (WMI)-to-CSP Bridge.
@@ -48,7 +42,7 @@ The Open Mobile Alliance Device Management (OMA-DM) protocol uses the XML-based
### The WMI-to-CSP Bridge
-The WMI-to-CSP Bridge is a component allowing configuration of Windows 10 CSPs using scripts and traditional enterprise management software, such as Configuration Manager using WMI. The bridge is responsible for reading WMI commands and through a component called the common device configurator pass them to a CSP for application on the device.
+The WMI-to-CSP Bridge is a component allowing configuration of Windows client CSPs using scripts and traditional enterprise management software, such as Configuration Manager using WMI. The bridge is responsible for reading WMI commands and through a component called the common device configurator pass them to a CSP for application on the device.
[Learn how to use the WMI Bridge Provider with PowerShell.](/windows/client-management/mdm/using-powershell-scripting-with-the-wmi-bridge-provider)
@@ -56,9 +50,7 @@ The WMI-to-CSP Bridge is a component allowing configuration of Windows 10 CSPs u
Generally, enterprises rely on Group Policy or MDM to configure and manage devices. For devices running Windows, MDM services use CSPs to configure your devices.
-In addition, you may have unmanaged devices, or a large number of devices that you want to configure before enrolling them in management. You may also want to apply custom settings that aren't available through your MDM service. The [CSP documentation](#bkmk-csp-doc) can help you understand the settings that can be configured or queried.
-
-Some of the articles in the [Windows 10 and Windows 10 Mobile](/windows/windows-10) library on Technet include links to applicable CSP reference topics, such as [Cortana integration in your business or enterprise](../cortana-at-work/cortana-at-work-overview.md), which links to the [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider). In the CSP topics, you can learn about all of the available configuration settings.
+In addition, you may have unmanaged devices, or a large number of devices that you want to configure before enrolling them in management. You may also want to apply custom settings that aren't available through your MDM service. The [CSP documentation](#bkmk-csp-doc) can help you understand the settings that can be configured or queried. You can also learn about all of the available configuration settings.
### CSPs in Windows Configuration Designer
@@ -66,9 +58,9 @@ You can use Windows Configuration Designer to create [provisioning packages](./p
Many settings in Windows Configuration Designer will display documentation for that setting in the center pane, and will include a reference to the CSP if the setting uses one, as shown in the following image.
-
+:::image type="content" source="../images/cspinicd.png" alt-text="In Windows Configuration Designer, how help content appears in icd.":::
-[Provisioning packages in Windows 10](provisioning-packages.md) explains how to use the Windows Configuration Designer tool to create a runtime provisioning package.
+[Provisioning packages in Windows client](provisioning-packages.md) explains how to use the Windows Configuration Designer tool to create a runtime provisioning package.
### CSPs in MDM
@@ -78,15 +70,15 @@ When a CSP is available but is not explicitly included in your MDM solution, you
### CSPs in Lockdown XML
-Lockdown XML can be used to configure devices running Windows 10 Mobile. You can manually author a [Lockdown XML file](../mobile-devices/lockdown-xml.md) to make use of the configuration settings available through the [EnterpriseAssignedAccess configuration service provider (CSP)](/windows/client-management/mdm/enterpriseassignedaccess-csp). In Windows 10, version 1703, you can also use the new [Lockdown Designer app](../mobile-devices/mobile-lockdown-designer.md) to configure your Lockdown XML.
+Starting with Windows 10 version 1703, you can use the [Lockdown Designer app](../mobile-devices/mobile-lockdown-designer.md) to configure your Lockdown XML.
## How do you use the CSP documentation?
-All CSPs in Windows 10 are documented in the [Configuration service provider reference](/windows/client-management/mdm/configuration-service-provider-reference).
+All CSPs are documented in the [Configuration service provider reference](/windows/client-management/mdm/configuration-service-provider-reference).
-The [main CSP topic](/windows/client-management/mdm/configuration-service-provider-reference) tells you which CSPs are supported on each edition of Windows 10, and links to the documentation for each individual CSP.
+The [CSP reference](/windows/client-management/mdm/configuration-service-provider-reference) tells you which CSPs are supported on each edition of Windows, and links to the documentation for each individual CSP.
-
+:::image type="content" source="../images/csptable.png" alt-text="The CSP reference shows the supported Windows editions":::
The documentation for each CSP follows the same structure. After an introduction that explains the purpose of the CSP, a diagram shows the parts of the CSP in tree format.
@@ -94,7 +86,7 @@ The full path to a specific configuration setting is represented by its Open Mob
The following example shows the diagram for the [AssignedAccess CSP](/windows/client-management/mdm/assignedaccess-csp). The diagram maps to the XML for that CSP. Notice the different shapes in the diagram: rounded elements are nodes, and rectangular elements are settings or policies for which a value must be supplied.
-
+:::image type="content" source="../images/provisioning-csp-assignedaccess.png" alt-text="The CSP reference shows the assigned access csp tree.":::
The element in the tree diagram after the root node tells you the name of the CSP. Knowing this structure, you would recognize in XML the parts of the URI path for that CSP and, if you saw it in XML, you would know which CSP reference to look up. For example, in the following OMS-URI path for the kiosk mode app settings, you can see that it uses the [AssignedAccess CSP](/windows/client-management/mdm/assignedaccess-csp).
@@ -104,7 +96,7 @@ The element in the tree diagram after the root node tells you the name of the CS
When an element in the diagram uses _italic_ font, it indicates a placeholder for specific information, such as the tenant ID in the following example.
-
+:::image type="content" source="../images/csp-placeholder.png" alt-text="The placeholder in the CSP tree":::
After the diagram, the documentation describes each element. For each policy or setting, the valid values are listed.
@@ -114,26 +106,11 @@ The documentation for most CSPs will also include an XML example.
## CSP examples
-CSPs provide access to a number of settings useful to enterprises. This section introduces the CSPs that an enterprise might find useful.
+CSPs provide access to many settings useful to enterprises. This section introduces the CSPs that an enterprise might find useful.
-- [EnterpriseAssignedAccess CSP](/windows/client-management/mdm/enterpriseassignedaccess-csp)
-
- The EnterpriseAssignedAccess CSP lets IT administrators configure settings on a Windows 10 Mobile device. An enterprise can make use of this CSP to create single-use or limited-use mobile devices, such as a handheld device that only runs a price-checking app.
-
- In addition to lock screen wallpaper, theme, time zone, and language, the EnterpriseAssignedAccess CSP includes AssignedAccessXml that can be used to lock down the device through the following settings:
-
- - Enabling or disabling the Action Center.
- - Configuring the number of tile columns in the Start layout.
- - Restricting the apps that will be available on the device.
- - Restricting the settings that the user can access.
- - Restricting the hardware buttons that will be operable.
- - Restricting access to the context menu.
- - Enabling or disabling tile manipulation.
- - Creating role-specific configurations.
-
- [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider)
- The Policy CSP enables the enterprise to configure policies on Windows 10 and Windows 10 Mobile. Some of these policy settings can also be applied using Group Policy, and the CSP documentation lists the equivalent Group Policy settings.
+ The Policy CSP enables the enterprise to configure policies on Windows client. Some of these policy settings can also be applied using Group Policy, and the CSP documentation lists the equivalent Group Policy settings.
Some of the settings available in the Policy CSP include the following:
@@ -153,7 +130,7 @@ CSPs provide access to a number of settings useful to enterprises. This section
- **Update**, such as whether the device can use Microsoft Update, Windows Server Update Services (WSUS), or Microsoft Store.
- **WiFi**, such as whether Internet sharing is enabled.
-Here is a list of CSPs supported on Windows 10 Enterprise, Windows 10 Mobile Enterprise, or both:
+Here is a list of CSPs supported on Windows 10 Enterprise:
- [ActiveSync CSP](/windows/client-management/mdm/activesync-csp)
- [Application CSP](/windows/client-management/mdm/application-csp)
@@ -211,4 +188,4 @@ Here is a list of CSPs supported on Windows 10 Enterprise, Windows 10 Mobile Ent
- [VPNv2 CSP](/windows/client-management/mdm/vpnv2-csp)
- [Wi-Fi CSP](/documentation/)
- [WindowsLicensing CSP](/windows/client-management/mdm/windowslicensing-csp)
-- [WindowsSecurityAuditing CSP](/windows/client-management/mdm/windowssecurityauditing-csp)
\ No newline at end of file
+- [WindowsSecurityAuditing CSP](/windows/client-management/mdm/windowssecurityauditing-csp)
diff --git a/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md b/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md
index 818a935488..f4325299ce 100644
--- a/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md
+++ b/windows/configuration/provisioning-packages/provision-pcs-for-initial-deployment.md
@@ -1,8 +1,8 @@
---
-title: Provision PCs with common settings (Windows 10)
+title: Provision PCs with common settings (Windows 10/11)
description: Create a provisioning package to apply common settings to a PC running Windows 10.
ms.assetid: 66D14E97-E116-4218-8924-E2A326C9367E
-ms.reviewer:
+ms.reviewer: gkomatsu
manager: dansimp
keywords: ["runtime provisioning", "provisioning package"]
ms.prod: w10
@@ -12,7 +12,6 @@ author: greg-lindsay
ms.author: greglin
ms.topic: article
ms.localizationpriority: medium
-ms.date: 07/27/2017
---
# Provision PCs with common settings for initial deployment (desktop wizard)
@@ -20,16 +19,17 @@ ms.date: 07/27/2017
**Applies to**
-- Windows 10
+- Windows 10
+- Windows 11
-This topic explains how to create and apply a provisioning package that contains common enterprise settings to a device running all desktop editions of Windows 10 except Windows 10 Home.
+This topic explains how to create and apply a provisioning package that contains common enterprise settings to a device running all desktop editions of Windows client except Home.
You can apply a provisioning package on a USB drive to off-the-shelf devices during setup, making it fast and easy to configure new devices.
## Advantages
- You can configure new devices without reimaging.
-- Works on both mobile and desktop devices.
+- Works on desktop devices.
- No network connectivity required.
@@ -51,14 +51,14 @@ The desktop wizard helps you configure the following settings in a provisioning
- Add applications and certificates
>[!WARNING]
->You must run Windows Configuration Designer on Windows 10 to configure Azure Active Directory enrollment using any of the wizards.
+>You must run Windows Configuration Designer on Windows client to configure Azure Active Directory enrollment using any of the wizards.
Provisioning packages can include management instructions and policies, installation of specific apps, customization of network connections and policies, and more.
> [!TIP]
> Use the desktop wizard to create a package with the common settings, then switch to the advanced editor to add other settings, apps, policies, etc.
>
->
+> :::image type="content" source="../images/icd-simple-edit.png" alt-text="In the desktop wizard, open the advanced editor.":::
## Create the provisioning package
@@ -68,26 +68,76 @@ Use the Windows Configuration Designer tool to create a provisioning package. [L
2. Click **Provision desktop devices**.
- 
+ :::image type="content" source="../images/icd-create-options-1703.png" alt-text="In Windows Configuration Designer, see the ICD start options.":::
3. Name your project and click **Finish**. The pages for desktop provisioning will walk you through the following steps.
- 
+ :::image type="content" source="../images/icd-desktop-1703.png" alt-text="In Windows Configuration Designer, select Finish, and see the ICD desktop provisioning.":::
> [!IMPORTANT]
> When you build a provisioning package, you may include sensitive information in the project files and in the provisioning package (.ppkg) file. Although you have the option to encrypt the .ppkg file, project files are not encrypted. You should store the project files in a secure location and delete the project files when they are no longer needed.
## Configure settings
+1. Enable device setup:
-
Enter a device name. Optionally, you can enter a product key to upgrade the device from Windows 10 Mobile to Windows 10 Mobile Enterprise. 
Toggle On or Off for wireless network connectivity. If you select On, enter the SSID, network type (Open or WPA2-Personal), and (if WPA2-Personal) the password for the wireless network.
Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, set up Azure AD join in your organization. The maximum number of devices per user setting in your Azure AD tenant determines how many times the bulk token that you get in the wizard can be used. Set an expiration date for the token (maximum is 180 days from the date you get the token). Click Get bulk token. In the Let's get you signed in window, enter an account that has permissions to join a device to Azure AD, and then the password. Click Accept to give Windows Configuration Designer the necessary permissions.Warning: You must run Windows Configuration Designer on Windows 10 to configure Azure Active Directory enrollment using any of the wizards. 
You can set a password to protect your provisioning package. You must enter this password when you apply the provisioning package to a device.
-
+ :::image type="content" source="../images/set-up-device-details-desktop.png" alt-text="In Windows Configuration Designer, enable device setup, enter the device name, the product key to upgrade, turn off shared use, and remove preinstalled software.":::
+
+ If you want to enable device setup, select **Set up device**, and configure the following settings:
+
+ - **Device name**: Required. Enter a unique 15-character name for the device. You can use variables to add unique characters to the name, such as `Contoso-%SERIAL%` and `Contoso-%RAND:5%`.
+ - **Enter product key**: Optional. Select a license file to upgrade Windows client to a different edition. For more information, see [the permitted upgrades](/windows/deployment/upgrade/windows-10-edition-upgrades).
+ - **Configure devices for shared use**: Select **Yes** or **No** to optimize the Windows client for shared use scenarios.
+ - **Remove pre-installed software**: Optional. Select **Yes** if you want to remove preinstalled software.
+
+2. Set up the network:
+
+ :::image type="content" source="../images/set-up-network-details-desktop.png" alt-text="In Windows Configuration Designer, turn on wireless connectivity, enter the network SSID, and network type.":::
+
+ If you want to enable network setup, select **Set up network**, and configure the following settings:
+
+ - **Set up network**: To enable wireless connectivity, select **On**.
+ - **Network SSID**: Enter the Service Set IDentifier (SSID) of the network.
+ - **Network type**: Select **Open** or **WPA2-Personal**. If you select **WPA2-Personal**, enter the password for the wireless network.
+
+3. Enable account management:
+
+ :::image type="content" source="../images/account-management-details.png" alt-text="In Windows Configuration Designer, join Active Directory, Azure AD, or create a local admin account.":::
+
+ If you want to enable account management, select **Account Management**, and configure the following settings:
+
+ - **Manage organization/school accounts**: Choose how devices are enrolled. Your options:
+ - **Active Directory**: Enter the credentials for a least-privileged user account to join the device to the domain.
+ - **Azure Active Directory**: Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, [set up Azure AD join in your organization](/azure/active-directory/active-directory-azureadjoin-setup). In your Azure AD tenant, the **maximum number of devices per user** setting determines how many times the bulk token in the wizard can be used.
+
+ If you select this option, enter a friendly name for the bulk token you get using the wizard. Set an expiration date for the token. The maximum is 180 days from the date you get the token. Select **Get bulk token**. In **Let's get you signed in**, enter an account that has permissions to join a device to Azure AD, and then the password. Select **Accept** to give Windows Configuration Designer the necessary permissions.
+
+ You must run Windows Configuration Designer on Windows client to configure Azure AD enrollment using any of the wizards.
+
+ - **Local administrator**: If you select this option, enter a user name and password. If you create a local account in the provisioning package, you must change the password using the **Settings** app every 42 days. If the password isn't changed during that period, the account might be locked out, and unable to sign in.
+
+4. Add applications:
+
+ :::image type="content" source="../images/add-applications-details.png" alt-text="In Windows Configuration Designer, add an application.":::
+
+ To add applications to the devices, select **Add applications**. You can install multiple applications, including Windows desktop applications (Win32) and Universal Windows Platform (UWP) apps. The settings in this step vary depending on the application you select. For help with the settings, see [Provision PCs with apps](provision-pcs-with-apps.md).
+
+5. Add certificates:
+
+ :::image type="content" source="../images/add-certificates-details.png" alt-text="In Windows Configuration Designer, add a certificate.":::
+
+ To add a certificate to the devices, select **Add certificates**, and configure the following settings:
+
+ - **Certificate name**: Enter a name for the certificate.
+ - **Certificate path**: Browse and select the certificate you want to add.
+
+6. Finish:
+
+ :::image type="content" source="../images/finish-details.png" alt-text="In Windows Configuration Designer, protect your package with a password.":::
+
+ To complete the wizard, select **Finish**, and configure the following setting:
+
+ - **Protect your package**: Select **Yes** or **No** to password protect your provisioning package. When you apply the provisioning package to a device, you must enter this password.
After you're done, click **Create**. It only takes a few seconds. When the package is built, the location where the package is stored is displayed as a hyperlink at the bottom of the page.
@@ -98,19 +148,17 @@ After you're done, click **Create**. It only takes a few seconds. When the packa
- Watch the video: [Provisioning Windows 10 Devices with New Tools](https://go.microsoft.com/fwlink/p/?LinkId=615921)
-- Watch the video: [Windows 10 for Mobile Devices: Provisioning Is Not Imaging](https://go.microsoft.com/fwlink/p/?LinkId=615922)
-
-## Related topics
+## Related articles
-- [Provisioning packages for Windows 10](provisioning-packages.md)
-- [How provisioning works in Windows 10](provisioning-how-it-works.md)
+- [Provisioning packages for Windows client](provisioning-packages.md)
+- [How provisioning works in Windows client](provisioning-how-it-works.md)
- [Install Windows Configuration Designer](provisioning-install-icd.md)
- [Create a provisioning package](provisioning-create-package.md)
- [Apply a provisioning package](provisioning-apply-package.md)
- [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md)
- [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md)
-- [PowerShell cmdlets for provisioning Windows 10 (reference)](provisioning-powershell.md)
+- [PowerShell cmdlets for provisioning Windows client (reference)](provisioning-powershell.md)
- [NFC-based device provisioning](../mobile-devices/provisioning-nfc.md)
- [Use the package splitter tool](../mobile-devices/provisioning-package-splitter.md)
- [Windows Configuration Designer command-line interface (reference)](provisioning-command-line.md)
diff --git a/windows/configuration/provisioning-packages/provision-pcs-with-apps.md b/windows/configuration/provisioning-packages/provision-pcs-with-apps.md
index f6f7f9876b..182d0e0207 100644
--- a/windows/configuration/provisioning-packages/provision-pcs-with-apps.md
+++ b/windows/configuration/provisioning-packages/provision-pcs-with-apps.md
@@ -1,5 +1,5 @@
---
-title: Provision PCs with apps (Windows 10)
+title: Provision PCs with apps (Windows 10/11)
description: Learn how to install multiple Universal Windows Platform (UWP) apps and Windows desktop applications (Win32) in a provisioning package.
keywords: ["runtime provisioning", "provisioning package"]
ms.prod: w10
@@ -9,8 +9,7 @@ author: greg-lindsay
ms.localizationpriority: medium
ms.author: greglin
ms.topic: article
-ms.date: 09/06/2017
-ms.reviewer:
+ms.reviewer: gkomatsu
manager: dansimp
---
@@ -20,9 +19,10 @@ manager: dansimp
**Applies to**
- Windows 10
+- Windows 11
-In Windows 10, version 1703, you can install multiple Universal Windows Platform (UWP) apps and Windows desktop applications (Win32) in a provisioning package. This topic explains the various settings in [Windows Configuration Designer](provisioning-install-icd.md) for app install.
+You can install multiple Universal Windows Platform (UWP) apps and Windows desktop applications (Win32) in a provisioning package. This article explains the various settings in [Windows Configuration Designer](provisioning-install-icd.md) for app install.
When you add an app in a Windows Configuration Designer wizard, the appropriate settings are displayed based on the app that you select. For instructions on adding an app using the advanced editor in Windows Configuration Designer, see [Add an app using advanced editor](#adv).
@@ -33,7 +33,7 @@ When you add an app in a Windows Configuration Designer wizard, the appropriate
- **License Path**: Specify the license file if it is an app from the Microsoft Store. This is optional if you have a certificate for the app.
-- **Package family name**: Specify the package family name if you don’t specify a license. This field will be auto-populated after you specify a license.
+- **Package family name**: Specify the package family name if you don’t specify a license. This field will be autopopulated after you specify a license.
- **Required appx dependencies**: Specify the appx dependency packages that are required for the installation of the app
@@ -44,25 +44,25 @@ When you add an app in a Windows Configuration Designer wizard, the appropriate
> [!NOTE]
> You can find more information about command-line options for Msiexec.exe [here](/windows/win32/msi/command-line-options).
-- **Command line arguments**: Optionally, append additional command arguments. The silent flag is appended for you. Example: PROPERTY=VALUE
+- **Command line arguments**: Optionally, append more command arguments. The silent flag is appended for you. Example: PROPERTY=VALUE
-- **Continue installations after failure**: Optionally, specify if you want to continue installing additional apps if this app fails to install
+- **Continue installations after failure**: Optionally, specify if you want to continue installing more apps if this app fails to install
-- **Restart required**: Optionally, specify if you want to initiate a reboot after a successful install of this app
+- **Restart required**: Optionally, specify if you want to reboot after a successful install of this app
-- **Required win32 app dependencies**: Optionally, specify additional files that are required for the installation of the app. For installers that have multiple file dependencies or have directory structures, [create a cab file of the assets](provisioning-script-to-install-app.md#cab). The installation script should [include expansion of the .cab file](provisioning-script-to-install-app.md#cab-extract).
+- **Required win32 app dependencies**: Optionally, specify more files that are required for the installation of the app. For installers that have multiple file dependencies or have directory structures, [create a cab file of the assets](provisioning-script-to-install-app.md#cab-the-application-assets). The installation script should [include expansion of the .cab file](provisioning-script-to-install-app.md#cab-extract).
### Exe or other installer
-- **Command line arguments**: Append the command line arguments with a silent flag (required). Optionally, append additional flags
+- **Command line arguments**: Append the command line arguments with a silent flag (required). Optionally, append more flags
- **Return Codes**: Specify the return codes for success and success with restart (0 and 3010 by default respectively) Any return code that is not listed will be interpreted as failure. The text boxes are space delimited.
-- **Continue installations after failure**: Optionally, specify if you want to continue installing additional apps if this app fails to install
+- **Continue installations after failure**: Optionally, specify if you want to continue installing more apps if this app fails to install
-- **Restart required**: Optionally, specify if you want to initiate a reboot after a successful install of this app
+- **Restart required**: Optionally, specify if you want to reboot after a successful install of this app
-- **Required win32 app dependencies**: Optionally, specify additional files that are required for the installation of the app. For installers that have multiple file dependencies or have directory structures, [create a cab file of the assets](provisioning-script-to-install-app.md#cab). The installation script should [include expansion of the .cab file](provisioning-script-to-install-app.md#cab-extract).
+- **Required win32 app dependencies**: Optionally, specify more files that are required for the installation of the app. For installers that have multiple file dependencies or have directory structures, [create a cab file of the assets](provisioning-script-to-install-app.md#cab-the-application-assets). The installation script should [include expansion of the .cab file](provisioning-script-to-install-app.md#cab-extract).
@@ -72,7 +72,7 @@ When you add an app in a Windows Configuration Designer wizard, the appropriate
1. In the **Available customizations** pane, go to **Runtime settings** > **ProvisioningCommands** > **PrimaryContext** > **Command**.
-2. Enter a name for the first app, and then click **Add**.
+2. Enter a name for the first app, and then select **Add**.
@@ -90,9 +90,9 @@ Universal apps that you can distribute in the provisioning package can be line-o
-3. For **ApplicationFile**, click **Browse** to find and select the target app (either an \*.appx or \*.appxbundle).
+3. For **ApplicationFile**, select **Browse** to find and select the target app (either an \*.appx or \*.appxbundle).
-4. For **DependencyAppxFiles**, click **Browse** to find and add any dependencies for the app. In Microsoft Store for Business, any dependencies for the app are listed in the **Required frameworks** section of the download page.
+4. For **DependencyAppxFiles**, select **Browse** to find and add any dependencies for the app. In Microsoft Store for Business, any dependencies for the app are listed in the **Required frameworks** section of the download page.
@@ -102,11 +102,11 @@ Universal apps that you can distribute in the provisioning package can be line-o
- - Open the license file and search for **LicenseID=** to get the GUID, enter the GUID in the **LicenseProductID** field and click **Add**.
+ - Open the license file and search for **LicenseID=** to get the GUID, enter the GUID in the **LicenseProductID** field and select **Add**.
-6. In the **Available customizations** pane, click the **LicenseProductId** that you just added.
+6. In the **Available customizations** pane, select the **LicenseProductId** that you just added.
-7. For **LicenseInstall**, click **Browse**, navigate to the license file that you renamed *\
Enter a name for the device.(Optional) Select a license file to upgrade Windows 10 to a different edition. See the permitted upgrades.Toggle Yes or No to Configure devices for shared use. This setting optimizes Windows 10 for shared use scenarios. Learn more about shared PC configuration.You can also select to remove pre-installed software from the device. 
Toggle On or Off for wireless network connectivity. If you select On, enter the SSID, the network type (Open or WPA2-Personal), and (if WPA2-Personal) the password for the wireless network.
Enable account management if you want to configure settings on this page. You can enroll the device in Active Directory, enroll in Azure Active Directory, or create a local administrator account on the deviceTo enroll the device in Active Directory, enter the credentials for a least-privileged user account to join the device to the domain.Before you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, set up Azure AD join in your organization. The maximum number of devices per user setting in your Azure AD tenant determines how many times the bulk token that you get in the wizard can be used. To enroll the device in Azure AD, select that option and enter a friendly name for the bulk token you will get using the wizard. Set an expiration date for the token (maximum is 180 days from the date you get the token). Click Get bulk token. In the Let's get you signed in window, enter an account that has permissions to join a device to Azure AD, and then the password. Click Accept to give Windows Configuration Designer the necessary permissions. To create a local administrator account, select that option and enter a user name and password. Important: If you create a local account in the provisioning package, you must change the password using the Settings app every 42 days. If the password is not changed during that period, the account might be locked out and unable to sign in. 
You can install multiple applications, both Windows desktop applications (Win32) and Universal Windows Platform (UWP) apps, in a provisioning package. The settings in this step vary according to the application that you select. For help with the settings, see Provision PCs with apps. 
To provision the device with a certificate, click Add a certificate. Enter a name for the certificate, and then browse to and select the certificate to be used.
You can set a password to protect your provisioning package. You must enter this password when you apply the provisioning package to a device.
-
+1. Expand a category:
-For details on each specific setting, see [Windows Provisioning settings reference](../wcd/wcd.md). The reference topic for a setting is also displayed in Windows Configuration Designer when you select the setting, as shown in the following image.
+ :::image type="content" source="../images/icd-step1.png" alt-text="In Windows Configuration Designer, expand the Certificates category.":::
-
+2. Select a setting:
+
+ :::image type="content" source="../images/icd-step2.png" alt-text="In Windows Configuration Designer, select ClientCertificates.":::
+
+3. Enter a value for the setting. Select **Add** if the button is displayed:
+
+ :::image type="content" source="../images/icd-step3.png" alt-text="In Windows Configuration Designer, enter a name for the certificate.":::
+
+4. Some settings, such as this example, require additional information. In **Available customizations**, select the value you just created, and more settings are displayed:
+
+ :::image type="content" source="../images/icd-step4.png" alt-text="In Windows Configuration Designer, additional settings for client certificate are available.":::
+
+5. When the setting is configured, it is displayed in the **Selected customizations** pane:
+
+ :::image type="content" source="../images/icd-step5.png" alt-text="In Windows Configuration Designer, the selected customizations pane shows your settings.":::
+
+For details on each specific setting, see [Windows Provisioning settings reference](../wcd/wcd.md). The reference article for a setting is also displayed in Windows Configuration Designer when you select the setting, as shown in the following image.
+
+
## Build package
@@ -120,7 +121,7 @@ For details on each specific setting, see [Windows Provisioning settings referen
3. In the **Select security details for the provisioning package** window, you can select to encrypt and/or sign a provisioning package with a selected certificate, and then select **Next**. Both selections are optional:
- - **Encrypt package** - If you select this option, an auto-generated password will be shown on the screen.
+ - **Encrypt package** - If you select this option, an autogenerated password will be shown on the screen.
- **Sign package** - If you select this option, you must select a valid certificate to use for signing the package. You can specify the certificate by selecting **Select** and choosing the certificate you want to use to sign the package.
>[!NOTE]
@@ -148,19 +149,17 @@ For details on each specific setting, see [Windows Provisioning settings referen
- Watch the video: [Provisioning Windows 10 Devices with New Tools](https://go.microsoft.com/fwlink/p/?LinkId=615921)
-- Watch the video: [Windows 10 for Mobile Devices: Provisioning Is Not Imaging](https://go.microsoft.com/fwlink/p/?LinkId=615922)
-
- [How to bulk-enroll devices with On-premises Mobile Device Management in Microsoft Endpoint Configuration Manager](/configmgr/mdm/deploy-use/bulk-enroll-devices-on-premises-mdm)
-## Related topics
+## Related articles
-- [Provisioning packages for Windows 10](provisioning-packages.md)
-- [How provisioning works in Windows 10](provisioning-how-it-works.md)
+- [Provisioning packages for Windows client](provisioning-packages.md)
+- [How provisioning works in Windows client](provisioning-how-it-works.md)
- [Install Windows Configuration Designer](provisioning-install-icd.md)
- [Apply a provisioning package](provisioning-apply-package.md)
- [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md)
- [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md)
- [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md)
-- [PowerShell cmdlets for provisioning Windows 10 (reference)](provisioning-powershell.md)
+- [PowerShell cmdlets for provisioning Windows client (reference)](provisioning-powershell.md)
- [Windows Configuration Designer command-line interface (reference)](provisioning-command-line.md)
-- [Create a provisioning package with multivariant settings](provisioning-multivariant.md)
\ No newline at end of file
+- [Create a provisioning package with multivariant settings](provisioning-multivariant.md)
diff --git a/windows/configuration/provisioning-packages/provisioning-how-it-works.md b/windows/configuration/provisioning-packages/provisioning-how-it-works.md
index 5942a86179..3d1a473ae6 100644
--- a/windows/configuration/provisioning-packages/provisioning-how-it-works.md
+++ b/windows/configuration/provisioning-packages/provisioning-how-it-works.md
@@ -1,6 +1,6 @@
---
-title: How provisioning works in Windows 10 (Windows 10)
-description: A provisioning package (.ppkg) is a container for a collection of configuration settings.
+title: How provisioning works in Windows 10/11
+description: Learn more about how provisioning package work on Windows client devices. A provisioning package (.ppkg) is a container for a collection of configuration settings.
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
@@ -8,24 +8,23 @@ author: greg-lindsay
ms.author: greglin
ms.topic: article
ms.localizationpriority: medium
-ms.date: 07/27/2017
-ms.reviewer:
+ms.reviewer: gkomatsu
manager: dansimp
---
-# How provisioning works in Windows 10
+# How provisioning works in Windows
**Applies to**
- Windows 10
-- Windows 10 Mobile
+- Windows 11
-Provisioning packages in Windows 10 provide IT administrators with a simplified way to apply configuration settings to Windows 10 devices. Windows Configuration Designer is a tool that makes it easy to create a provisioning package. Windows Configuration Designer can be installed from the [Windows Assessment and Deployment Kit (ADK)](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit) or through the Microsoft Store.
+Provisioning packages in Windows client provide IT administrators with a simplified way to apply configuration settings to Windows client devices. Windows Configuration Designer is a tool that makes it easy to create a provisioning package. Windows Configuration Designer can be installed from Microsoft Store.
## Provisioning packages
-A provisioning package contains specific configurations/settings and assets that can be provided through a removable media or simply downloaded to the device.
+A provisioning package contains specific configurations/settings and assets that can be provided through a removable media or downloaded to the device.
To enable adding multiple sets of settings or configurations, the configuration data used by the provisioning engine is built out of multiple configuration sources that consist of separate provisioning packages. Each provisioning package contains the provisioning data from a different source.
@@ -69,7 +68,7 @@ When the provisioning engine selects a configuration, the Windows provisioning X
## Provisioning engine
-The provisioning engine is the core component for managing provisioning and configuration at runtime in a device running Windows 10.
+The provisioning engine is the core component for managing provisioning and configuration at runtime in a device running Windows 10/11.
The provisioning engine provides the following functionality:
@@ -82,7 +81,7 @@ The provisioning engine provides the following functionality:
## Configuration manager
-The configuration manager provides the unified way of managing Windows 10 devices. Configuration is mainly done through the Open Mobile Alliance (OMA) Device Management (DM) and Client Provisioning (CP) protocols. The configuration manager handles and parses these protocol requests from different channels and passes them down to [Configuration Service Providers (CSPs)](/windows/client-management/mdm/configuration-service-provider-reference) to perform the specific management requests and settings.
+The configuration manager provides the unified way of managing Windows 10/11 devices. Configuration is mainly done through the Open Mobile Alliance (OMA) Device Management (DM) and Client Provisioning (CP) protocols. The configuration manager handles and parses these protocol requests from different channels and passes them down to [Configuration Service Providers (CSPs)](/windows/client-management/mdm/configuration-service-provider-reference) to perform the specific management requests and settings.
The provisioning engine relies on configuration manager for all of the actual processing and application of a chosen configuration. The provisioning engine determines the stage of provisioning and, based on a set of keys, determines the set of configuration to send to the configuration manager. The configuration manager in turn parses and calls into the CSPs for the setting to be applied.
@@ -110,14 +109,6 @@ When a trigger occurs, provisioning is initiated for a particular provisioning s
- **Update**: Runs after an update to apply potential updated settings changes.
- **User**: runs during a user account first run to configure per-user settings.
-
-
-
-
-
-
-
-
## Device provisioning during OOBE
The provisioning engine always applies provisioning packages persisted in the `C:\Recovery\Customizations` folder on the OS partition. When the provisioning engine applies provisioning packages in the `%ProgramData%\Microsoft\Provisioning` folder, certain runtime setting applications, such as the setting to install and configure Windows apps, may be extended past the OOBE pass and continually be processed in the background when the device gets to the desktop. Settings for configuring policies and certain crucial system configurations are always be completed before the first point at which they must take effect.
@@ -129,8 +120,8 @@ The following table shows how device provisioning can be initiated when a user f
| Package delivery | Initiation method | Supported device |
| --- | --- | --- |
-| Removable media - USB drive or SD card (Packages must be placed at media root) | 5 fast taps on the Windows key to launch the provisioning UI |All Windows devices |
-| From an administrator device through machine-to-machine NFC or NFC tag(The administrator device must run an app that can transfer the package over NFC) | 5 fast taps on the Windows key to launch the provisioning UI | Windows 10 Mobile devices and IoT Core devices |
+| Removable media - USB drive or SD card (Packages must be placed at media root) | Five fast taps on the Windows key to launch the provisioning UI |All Windows devices |
+| From an administrator device through machine-to-machine NFC or NFC tag(The administrator device must run an app that can transfer the package over NFC) | Five fast taps on the Windows key to launch the provisioning UI | Windows IoT Core devices |
The provisioning engine always copies the acquired provisioning packages to the `%ProgramData%\Microsoft\Provisioning` folder before processing them during OOBE. The provisioning engine always applies provisioning packages embedded in the installed Windows image during Windows Setup OOBE pass regardless of whether the package is signed and trusted. When the provisioning engine applies an encrypted provisioning package on an end-user device during OOBE, users must first provide a valid password to decrypt the package. The provisioning engine also checks whether a provisioning package is signed and trusted; if it's not, the user must provide consent before the package is applied to the device.
@@ -143,8 +134,8 @@ At device runtime, stand-alone provisioning packages can be applied by user init
| Package delivery | Initiation method | Supported device |
| --- | --- | --- |
| Removable media - USB drive or SD card(Packages must be placed at media root) | **Settings** > **Accounts** > **Access work or school** > **Add or remove a provisioning package** | All Windows devices |
-| Downloaded from a network connection and copied to a local folder | Double-click the package file | Windows 10 for desktop editions devices |
-| From an administrator device connected to the target device through USB tethering | Drag and drop the package file onto the target device | Windows 10 Mobile devices and IoT Core devices |
+| Downloaded from a network connection and copied to a local folder | Double-click the package file | Windows client for desktop editions devices |
+| From an administrator device connected to the target device through USB tethering | Drag and drop the package file onto the target device | Windows IoT Core devices |
When applying provisioning packages from a removable media attached to the device, the Settings UI allows viewing contents of a package before selecting the package for provisioning. To minimize the risk of the device being spammed by applying provisioning packages from unknown sources, a provisioning package can be signed and encrypted. Partners can also set policies to limit the application of provisioning packages at device runtime. Applying provisioning packages at device runtime requires administrator privilege. If the package is not signed or trusted, a user must provide consent before the package is applied to the device. If the package is encrypted, a valid password is needed to decrypt the package before it can be applied to the device.
@@ -157,25 +148,16 @@ After a stand-alone provisioning package is applied to the device, the package i
- Watch the video: [Provisioning Windows 10 Devices with New Tools](https://go.microsoft.com/fwlink/p/?LinkId=615921)
-- Watch the video: [Windows 10 for Mobile Devices: Provisioning Is Not Imaging](https://go.microsoft.com/fwlink/p/?LinkId=615922)
+## Related articles
-## Related topics
-
-- [Provisioning packages for Windows 10](provisioning-packages.md)
+- [Provisioning packages for Windows client](provisioning-packages.md)
- [Install Windows Configuration Designer](provisioning-install-icd.md)
- [Create a provisioning package](provisioning-create-package.md)
- [Apply a provisioning package](provisioning-apply-package.md)
- [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md)
- [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md)
- [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md)
-- [PowerShell cmdlets for provisioning Windows 10 (reference)](provisioning-powershell.md)
+- [PowerShell cmdlets for provisioning Windows client (reference)](provisioning-powershell.md)
- [Windows Configuration Designer command-line interface (reference)](provisioning-command-line.md)
- [Create a provisioning package with multivariant settings](provisioning-multivariant.md)
-
-
-
-
-
-
-
\ No newline at end of file
diff --git a/windows/configuration/provisioning-packages/provisioning-install-icd.md b/windows/configuration/provisioning-packages/provisioning-install-icd.md
index 1a467d4e6d..2185e1123a 100644
--- a/windows/configuration/provisioning-packages/provisioning-install-icd.md
+++ b/windows/configuration/provisioning-packages/provisioning-install-icd.md
@@ -1,6 +1,6 @@
---
-title: Install Windows Configuration Designer (Windows 10)
-description: Learn how to install and use Windows Configuration Designer so you can easily configure devices running Windows 10.
+title: Install Windows Configuration Designer (Windows 10/11)
+description: Learn how to install and use Windows Configuration Designer so you can easily configure devices running Windows 10/11.
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
@@ -8,30 +8,35 @@ author: greg-lindsay
ms.author: greglin
ms.topic: article
ms.localizationpriority: medium
-ms.date: 10/16/2017
-ms.reviewer:
+ms.reviewer: gkomatsu
manager: dansimp
---
-# Install Windows Configuration Designer
+# Install Windows Configuration Designer, and learn about any limitations
**Applies to**
-- Windows 10
-- Windows 10 Mobile
+- Windows 10
+- Windows 11
-Use the Windows Configuration Designer tool to create provisioning packages to easily configure devices running Windows 10. Windows Configuration Designer is primarily designed for use by IT departments for business and educational institutions who need to provision bring-your-own-device (BYOD) and business-supplied devices.
+Use the Windows Configuration Designer tool to create provisioning packages to easily configure devices running Windows client. Windows Configuration Designer is primarily used by IT departments for business and educational institutions who need to provision bring-your-own-device (BYOD) and business-supplied devices.
## Supported platforms
-Windows Configuration Designer can create provisioning packages for Windows 10 desktop and mobile editions, including Windows 10 IoT Core, as well as Microsoft Surface Hub and Microsoft HoloLens. You can run Windows Configuration Designer on the following operating systems:
+Windows Configuration Designer can create provisioning packages for Windows client desktop, including Windows IoT Core, Microsoft Surface Hub, and Microsoft HoloLens. You can run Windows Configuration Designer on the following operating systems:
+**Client OS**:
+
+- Windows 11
- Windows 10 - x86 and amd64
- Windows 8.1 Update - x86 and amd64
- Windows 8.1 - x86 and amd64
- Windows 8 - x86 and amd64
- Windows 7 - x86 and amd64
+
+**Server OS**:
+
- Windows Server 2016
- Windows Server 2012 R2 Update
- Windows Server 2012 R2
@@ -39,54 +44,38 @@ Windows Configuration Designer can create provisioning packages for Windows 10 d
- Windows Server 2008 R2
>[!WARNING]
->You must run Windows Configuration Designer on Windows 10 to configure Azure Active Directory enrollment using any of the wizards.
+>You must run Windows Configuration Designer on Windows client to configure Azure Active Directory enrollment using any of the wizards.
## Install Windows Configuration Designer
-On devices running Windows 10, you can install [the Windows Configuration Designer app from the Microsoft Store](https://www.microsoft.com/store/apps/9nblggh4tx22). To run Windows Configuration Designer on other operating systems or in languages other than English, install it from the [Windows Assessment and Deployment Kit (ADK) for Windows 10](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit).
-
->[!NOTE]
->If you install Windows Configuration Designer from both the ADK and Microsoft Store, the Store app will not open.
->
->The Windows Configuration Designer App from Microsoft Store currently supports only English. For a localized version of the Windows Configuration Designer, install it from the Windows ADK.
-
-1. Go to [Download the Windows ADK](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit) and select **Get Windows ADK** for the version of Windows 10 that you want to create provisioning packages for (version 1511, 1607, or 1703).
-
- >[!NOTE]
- >The rest of this procedure uses Windows ADK for Windows 10, version 1703 as an example.
-
-2. Save **adksetup.exe** and then run it.
-
-3. On the **Specify Location** page, select an installation path and then click **Next**.
- >[!NOTE]
- >The estimated disk space listed on this page applies to the full Windows ADK. If you only install Windows Configuration Designer, the space requirement is approximately 32 MB.
-4. Make a selection on the **Windows Kits Privacy** page, and then click **Next**.
-
-5. Accept the **License Agreement**, and then click **Next**.
-
-6. On the **Select the features you want to install** page, clear all selections except **Configuration Designer**, and then click **Install**.
-
- 
+On devices running Windows client, you can install [the Windows Configuration Designer app](https://www.microsoft.com/store/apps/9nblggh4tx22) from the Microsoft Store.
## Current Windows Configuration Designer limitations
-- Windows Configuration Designer will not work properly if the Group Policy setting **Policies > Administrative Templates > Windows Components > Internet Explorer > Security Zones: Use only machine settings** is enabled. We recommend that you run Windows Configuration Designer on a different device, rather than change the security setting.
+- Windows Configuration Designer doesn't work properly if the **Policies > Administrative Templates > Windows Components > Internet Explorer > Security Zones: Use only machine settings** Group Policy setting is enabled. Instead of changing the security setting, we recommend you run Windows Configuration Designer on a different device.
- You can only run one instance of Windows Configuration Designer on your computer at a time.
-- Be aware that when adding apps and drivers, all files stored in the same folder will be imported and may cause errors during the build process.
+- When adding apps and drivers, all files stored in the same folder are imported, and may cause errors during the build process.
-- The Windows Configuration Designer UI does not support multivariant configurations. Instead, you must use the Windows Configuration Designer command-line interface to configure multivariant settings. For more information, see [Create a provisioning package with multivariant settings](provisioning-multivariant.md).
+- The Windows Configuration Designer UI doesn't support multivariant configurations. Instead, you must use the Windows Configuration Designer command-line interface to configure multivariant settings. For more information, see [Create a provisioning package with multivariant settings](provisioning-multivariant.md).
-- While you can open multiple projects at the same time within Windows Configuration Designer, you can only build one project at a time.
+- In Windows Configuration Designer, you can only build one project at a time. You can open multiple projects at the same time, but you can only build one at a time.
-- In order to enable the simplified authoring jscripts to work on a server SKU running Windows Configuration Designer, you need to explicitly enable **Allow websites to prompt for information using scripted windows**. Do this by opening Internet Explorer and then navigating to **Settings** > **Internet Options** > **Security** -> **Custom level** > **Allow websites to prompt for information using scripted windows**, and then choose **Enable**.
+- To enable the simplified authoring jscripts to work on a server SKU running Windows Configuration Designer, you must enable **Allow websites to prompt for information using scripted windows**:
-- If you copy a Windows Configuration Designer project from one PC to another PC, make sure that all the associated files for the deployment assets, such as apps and drivers, are copied along with the project to the same path as it was on the original PC.
+ 1. Open Internet Explorer.
+ 2. Go to **Settings** > **Internet Options** > **Security** > **Custom level**.
+ 3. Select **Allow websites to prompt for information using scripted windows** > **Enable**.
- For example, when you add a driver to a provisioned package, you must copy the .INF file to a local directory on the PC that is running Windows Configuration Designer. If you don't do this, and attempt to use a copied version of this project on a different PC, Windows Configuration Designer might attempt to resolve the path to the files that point to the original PC.
-
-- **Recommended**: Before starting, copy all source files to the PC running Windows Configuration Designer, rather than using external sources like network shares or removable drives. This reduces the risk of interrupting the build process from a temporary network issue or from disconnecting the USB device.
+- If you copy a Windows Configuration Designer project from one PC to another PC, then:
+
+ - Copy all the associated files for the deployment assets with the project, including apps and drivers.
+ - Copy all the files to the same path as the original PC.
+
+ For example, when you add a driver to a provisioned package, you must copy the `.INF` file to a local directory on the PC that's running Windows Configuration Designer. If you don't copy the `.INF` file, and use a copied version of this project on a different PC, then Windows Configuration Designer might resolve the file paths to the original PC.
+
+- **Recommended**: Before starting, copy all source files to the PC running Windows Configuration Designer. Don't use external sources, like network shares or removable drives. Using local files reduces the risk of interrupting the build process from a network issue, or from disconnecting the USB device.
**Next step**: [How to create a provisioning package](provisioning-create-package.md)
@@ -94,27 +83,15 @@ On devices running Windows 10, you can install [the Windows Configuration Design
- Watch the video: [Provisioning Windows 10 Devices with New Tools](https://go.microsoft.com/fwlink/p/?LinkId=615921)
-- Watch the video: [Windows 10 for Mobile Devices: Provisioning Is Not Imaging](https://go.microsoft.com/fwlink/p/?LinkId=615922)
+## Related articles
-## Related topics
-
-- [Provisioning packages for Windows 10](provisioning-packages.md)
-- [How provisioning works in Windows 10](provisioning-how-it-works.md)
+- [Provisioning packages for Windows client](provisioning-packages.md)
+- [How provisioning works in Windows client](provisioning-how-it-works.md)
- [Create a provisioning package](provisioning-create-package.md)
- [Apply a provisioning package](provisioning-apply-package.md)
- [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md)
- [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md)
- [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md)
-- [PowerShell cmdlets for provisioning Windows 10 (reference)](provisioning-powershell.md)
+- [PowerShell cmdlets for provisioning Windows client (reference)](provisioning-powershell.md)
- [Windows Configuration Designer command-line interface (reference)](provisioning-command-line.md)
- [Create a provisioning package with multivariant settings](provisioning-multivariant.md)
-
-
-
-
-
-
-
-
-
-
diff --git a/windows/configuration/provisioning-packages/provisioning-multivariant.md b/windows/configuration/provisioning-packages/provisioning-multivariant.md
index 6e54b39009..028b44c522 100644
--- a/windows/configuration/provisioning-packages/provisioning-multivariant.md
+++ b/windows/configuration/provisioning-packages/provisioning-multivariant.md
@@ -1,5 +1,5 @@
---
-title: Create a provisioning package with multivariant settings (Windows 10)
+title: Create a provisioning package with multivariant settings (Windows 10/11)
description: Create a provisioning package with multivariant settings to customize the provisioned settings for defined conditions.
ms.prod: w10
ms.mktglfcycl: deploy
@@ -7,8 +7,7 @@ ms.sitesec: library
author: greg-lindsay
ms.topic: article
ms.localizationpriority: medium
-ms.date: 11/08/2017
-ms.reviewer:
+ms.reviewer: gkomatsu
manager: dansimp
ms.author: greglin
---
@@ -19,7 +18,7 @@ ms.author: greglin
**Applies to**
- Windows 10
-- Windows 10 Mobile
+- Windows 11
In your organization, you might have different configuration requirements for devices that you manage. You can create separate provisioning packages for each group of devices in your organization that have different requirements. Or, you can create a multivariant provisioning package, a single provisioning package that can work for multiple conditions. For example, in a single provisioning package, you can define one set of customization settings that will apply to devices set up for French and a different set of customization settings for devices set up for Japanese.
@@ -37,38 +36,43 @@ A **Target** can have more than one **TargetState**, and a **TargetState** can h
-The following table describes the logic for the target definition.
+The following information describes the logic for the target definition:
-
+- When all **Condition** elements are TRUE, **TargetState** is TRUE:
+
+ :::image type="content" source="../images/icd-multi-targetstate-true.png" alt-text="Target state is true when all conditions are true.":::
+
+- If any of the **TargetState** elements is TRUE, **Target** is TRUE, and the **ID** can be used for setting customizations:
+
+ :::image type="content" source="../images/icd-multi-target-true.png" alt-text="Target is true if any target state is true":::
### Conditions
-The following table shows the conditions supported in Windows 10 provisioning for a **TargetState**:
+The following table shows the conditions supported in Windows client provisioning for a **TargetState**:
-| Condition Name | Condition priority | Windows 10 Mobile | Windows 10 for desktop editions | Value type | Value description |
-| --- | --- | --- | --- | --- | --- |
-| MNC | P0 | Supported | Supported | Digit string | Use to target settings based on the Mobile Network Code (MNC) value. |
-| MCC | P0 | Supported | Supported | Digit string | Use to target settings based on the Mobile Country Code (MCC) value. |
-| SPN | P0 | Supported | Supported | String | Use to target settings based on the Service Provider Name (SPN) value. |
-| PNN | P0 | Supported | Supported | String | Use to target settings based on public land mobile network (PLMN) Network Name value. |
-| GID1 | P0 | Supported | Supported | Digit string | Use to target settings based on the Group Identifier (level 1) value. |
-| ICCID | P0 | Supported | Supported | Digit string | Use to target settings based on the Integrated Circuit Card Identifier (ICCID) value. |
-| Roaming | P0 | Supported | N/A | Boolean | Use to specify roaming. Set the value to **1** (roaming) or **0** (non-roaming). |
-| UICC | P0 | Supported | N/A | Enumeration | Use to specify the Universal Integrated Circuit Card (UICC) state. Set the value to one of the following:- 0 - Empty- 1 - Ready- 2 - Locked |
-| UICCSLOT | P0 | Supported | N/A | Digit string | Use to specify the UICC slot. Set the value one of the following:- 0 - Slot 0- 1 - Slot 1 |
-| ProcessorType | P1 | Supported | Supported | String | Use to target settings based on the processor type. |
-| ProcessorName | P1 | Supported | Supported | String | Use to target settings based on the processor name. |
-| AoAc ("Always On, Always Connected") | P1 | Supported | Supported | Boolean | Set the value to **0** (false) or **1** (true). If this condition is TRUE, the system supports the S0 low power idle model. |
-| PowerPlatformRole | P1 | Supported | Supported | Enumeration | Indicates the preferred power management profile. Set the value based on the [POWER_PLATFORM_ROLE enumeration](/windows/win32/api/winnt/ne-winnt-power_platform_role). |
-| Architecture | P1 | Supported | Supported | String | Matches the PROCESSOR_ARCHITECTURE environment variable. |
-| Server | P1 | Supported | Supported | Boolean | Set the value to **0** (false) or **1** (true) to identify a server. |
-| Region | P1 | Supported | Supported | Enumeration | Use to target settings based on country/region, using the 2-digit alpha ISO code per [ISO 3166-1 alpha-2](https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2). |
-| Lang | P1 | Supported | Supported | Enumeration | Use to target settings based on language code, using the 2-digit [ISO 639 alpha-2 code](https://en.wikipedia.org/wiki/ISO_639). |
+| Condition Name | Condition priority | Windows client for desktop editions | Value type | Value description |
+| --- | --- | --- | --- | --- |
+| MNC | P0 | Supported | Digit string | Use to target settings based on the Mobile Network Code (MNC) value. |
+| MCC | P0 | Supported | Digit string | Use to target settings based on the Mobile Country Code (MCC) value. |
+| SPN | P0 | Supported | String | Use to target settings based on the Service Provider Name (SPN) value. |
+| PNN | P0 | Supported | String | Use to target settings based on public land mobile network (PLMN) Network Name value. |
+| GID1 | P0 | Supported | Digit string | Use to target settings based on the Group Identifier (level 1) value. |
+| ICCID | P0 | Supported | Digit string | Use to target settings based on the Integrated Circuit Card Identifier (ICCID) value. |
+| Roaming | P0 | N/A | Boolean | Use to specify roaming. Set the value to **1** (roaming) or **0** (non-roaming). |
+| UICC | P0 | N/A | Enumeration | Use to specify the Universal Integrated Circuit Card (UICC) state. Set the value to one of the following:- 0 - Empty- 1 - Ready- 2 - Locked |
+| UICCSLOT | P0 | N/A | Digit string | Use to specify the UICC slot. Set the value one of the following:- 0 - Slot 0- 1 - Slot 1 |
+| ProcessorType | P1 | Supported | String | Use to target settings based on the processor type. |
+| ProcessorName | P1 | Supported | String | Use to target settings based on the processor name. |
+| AoAc ("Always On, Always Connected") | P1 | Supported | Boolean | Set the value to **0** (false) or **1** (true). If this condition is TRUE, the system supports the S0 low power idle model. |
+| PowerPlatformRole | P1 | Supported | Enumeration | Indicates the preferred power management profile. Set the value based on the [POWER_PLATFORM_ROLE enumeration](/windows/win32/api/winnt/ne-winnt-power_platform_role). |
+| Architecture | P1 | Supported | String | Matches the PROCESSOR_ARCHITECTURE environment variable. |
+| Server | P1 | Supported | Boolean | Set the value to **0** (false) or **1** (true) to identify a server. |
+| Region | P1 | Supported | Enumeration | Use to target settings based on country/region, using the 2-digit alpha ISO code per [ISO 3166-1 alpha-2](https://en.wikipedia.org/wiki/ISO_3166-1_alpha-2). |
+| Lang | P1 | Supported | Enumeration | Use to target settings based on language code, using the 2-digit [ISO 639 alpha-2 code](https://en.wikipedia.org/wiki/ISO_639). |
-The matching types supported in Windows 10 are:
+The matching types supported in Windows client are:
| Matching type | Syntax | Example |
| --- | --- | --- |
@@ -79,7 +83,7 @@ The matching types supported in Windows 10 are:
### TargetState priorities
-You can define more than one **TargetState** within a provisioning package to apply settings to devices that match device conditions. When the provisioning engine evalues each **TargetState**, more than one **TargetState** may fit current device conditions. To determine the order in which the settings are applied, the system assigns a priority to every **TargetState**.
+You can define more than one **TargetState** within a provisioning package to apply settings to devices that match device conditions. When the provisioning engine evaluates each **TargetState**, more than one **TargetState** may fit current device conditions. To determine the order in which the settings are applied, the system assigns a priority to every **TargetState**.
A setting that matches a **TargetState** with a lower priority is applied before the setting that matches a **TargetState** with a higher priority. This means that a setting for the **TargetState** with the higher priority can overwrite a setting for the **TargetState** with the lower priority.
@@ -281,38 +285,29 @@ In this example, the **StoreFile** corresponds to the location of the settings s
## Events that trigger provisioning
-When you install the multivariant provisioning package on a Windows 10 device, the provisioning engine applies the matching condition settings at every event and triggers provisioning.
+When you install the multivariant provisioning package on a Windows client device, the provisioning engine applies the matching condition settings at every event and triggers provisioning.
-The following events trigger provisioning on Windows 10 devices:
+The following events trigger provisioning on Windows client devices:
-| Event | Windows 10 Mobile | Windows 10 for desktop editions |
-| --- | --- | --- |
-| System boot | Supported | Supported |
-| Operating system update | Supported | Planned |
-| Package installation during device first run experience | Supported | Supported |
-| Detection of SIM presence or update | Supported | Supported |
-| Package installation at runtime | Supported | Supported |
-| Roaming detected | Supported | Not supported |
+| Event | Windows client for desktop editions |
+| --- | --- |
+| System boot | Supported |
+| Operating system update | Planned |
+| Package installation during device first run experience | Supported |
+| Detection of SIM presence or update | Supported |
+| Package installation at runtime | Supported |
+| Roaming detected | Not supported |
+## Related articles
-
-
-
-
-
-
-
-
-## Related topics
-
-- [Provisioning packages for Windows 10](provisioning-packages.md)
-- [How provisioning works in Windows 10](provisioning-how-it-works.md)
+- [Provisioning packages for Windows client](provisioning-packages.md)
+- [How provisioning works in Windows client](provisioning-how-it-works.md)
- [Install Windows Configuration Designer](provisioning-install-icd.md)
- [Create a provisioning package](provisioning-create-package.md)
- [Apply a provisioning package](provisioning-apply-package.md)
- [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md)
- [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md)
- [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md)
-- [PowerShell cmdlets for provisioning Windows 10 (reference)](provisioning-powershell.md)
+- [PowerShell cmdlets for provisioning Windows client (reference)](provisioning-powershell.md)
- [Windows Configuration Designer command-line interface (reference)](provisioning-command-line.md)
diff --git a/windows/configuration/provisioning-packages/provisioning-packages.md b/windows/configuration/provisioning-packages/provisioning-packages.md
index a3b4e25f84..b7a5d07216 100644
--- a/windows/configuration/provisioning-packages/provisioning-packages.md
+++ b/windows/configuration/provisioning-packages/provisioning-packages.md
@@ -1,8 +1,8 @@
---
-title: Provisioning packages (Windows 10)
-description: With Windows 10, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image.
+title: Provisioning packages overview on Windows 10/11
+description: With Windows 10 and Windows 11, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image. Learn about what provisioning packages, are and what they do.
ms.assetid: 287706E5-063F-4AB5-902C-A0DF6D0730BC
-ms.reviewer:
+ms.reviewer: gkomatsu
manager: dansimp
ms.prod: w10
ms.mktglfcycl: deploy
@@ -11,37 +11,38 @@ author: greg-lindsay
ms.author: greglin
ms.topic: article
ms.localizationpriority: medium
-ms.date: 07/27/2017
+
---
-# Provisioning packages for Windows 10
+# Provisioning packages for Windows
**Applies to**
- Windows 10
-- Windows 10 Mobile
+- Windows 11
Windows provisioning makes it easy for IT administrators to configure end-user devices without imaging. Using Windows provisioning, an IT administrator can easily specify desired configuration and settings required to enroll the devices into management and then apply that configuration to target devices in a matter of minutes. It is best suited for small- to medium-sized businesses with deployments that range from tens to a few hundred computers.
-A provisioning package (.ppkg) is a container for a collection of configuration settings. With Windows 10, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image.
+A provisioning package (.ppkg) is a container for a collection of configuration settings. With Windows client, you can create provisioning packages that let you quickly and efficiently configure a device without having to install a new image.
-Provisioning packages are simple enough that with a short set of written instructions, a student or non-technical employee can use them to configure their device. This can result in a significant reduction in the time required to configure multiple devices in your organization.
+Provisioning packages are simple enough that with a short set of written instructions, a student, or non-technical employee can use them to configure their device. This can result in a significant reduction in the time required to configure multiple devices in your organization.
-The [Windows Assessment and Deployment Kit (ADK) for Windows 10](https://developer.microsoft.com/windows/hardware/windows-assessment-deployment-kit) includes the Windows Configuration Designer, a tool for configuring provisioning packages. Windows Configuration Designer is also available as an [app in the Microsoft Store](https://www.microsoft.com/store/apps/9nblggh4tx22).
+
+Windows Configuration Designer is available as an [app in the Microsoft Store](https://www.microsoft.com/store/apps/9nblggh4tx22).
-## New in Windows 10, version 1703
+
-- The tool for creating provisioning packages is renamed Windows Configuration Designer, replacing the Windows Imaging and Configuration Designer (ICD) tool. The components for creating images have been removed from Windows Configuration Designer, which now provides access to runtime settings only.
-- Windows Configuration Designer can still be installed from the Windows ADK. You can also install it from the Microsoft Store.
-- Windows Configuration Designer adds more wizards to make it easier to create provisioning packages for specific scenarios. See [What you can configure](#configuration-designer-wizards) for wizard descriptions.
-- The Provision desktop devices wizard (previously called Simple provisioning) now enables joining Azure Active Directory (Azure AD) domains and also allows you to remove non-Microsoft software from Windows desktop devices during provisioning.
-- When provisioning packages are applied to a device, a status screen indicates successful or failed provisioning.
-- Windows 10 includes PowerShell cmdlets that simplify scripted provisioning. Using these cmdlets, you can add provisioning packages, remove provisioning packages and generate log files to investigate provisioning errors.
-- The Provision school devices wizard is removed from Windows Configuration Designer. Instead, use the [Setup School PCs app](https://www.microsoft.com/store/p/set-up-school-pcs/9nblggh4ls40) from the Microsoft Store.
+
+
+
+
+
+
+
@@ -74,20 +75,31 @@ Provisioning packages can be:
The following table describes settings that you can configure using the wizards in Windows Configuration Designer to create provisioning packages.
+| Step | Description | Desktop wizard | Kiosk wizard | HoloLens wizard |
+| --- | --- | --- | --- | --- |
+| Set up device | Assign device name, enter product key to upgrade Windows, configure shared used, remove pre-installed software | ✔️ | ✔️ | ✔️ |
+| Set up network | Connect to a Wi-Fi network | ✔️ | ✔️ | ✔️ |
+| Account management | Enroll device in Active Directory, enroll device in Azure Active Directory, or create a local administrator account | ✔️ | ✔️ | ✔️ |
+| Bulk Enrollment in Azure AD | Enroll device in Azure Active DirectoryBefore you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, [set up Azure AD join in your organization](/azure/active-directory/active-directory-azureadjoin-setup). | ❌ | ❌ | ❌ |
+| Add applications | Install applications using the provisioning package. | ✔️ | ✔️ | ❌ |
+| Add certificates | Include a certificate file in the provisioning package. | ✔️ | ✔️ | ✔️ |
+| Configure kiosk account and app | Create local account to run the kiosk mode app, specify the app to run in kiosk mode | ❌ | ✔️ | ❌ |
+| Configure kiosk common settings | Set tablet mode, configure welcome and shutdown screens, turn off timeout settings | ❌ | ✔️ | ❌ |
+| Developer Setup | Enable Developer Mode | ❌ | ❌ | ✔️ |
-When all Condition elements are TRUE, TargetState is TRUE. 
If any of the TargetState elements is TRUE, Target is TRUE, and the Id can be used for setting customizations. 
+
+
+
+
+
+
+
+
+
+
+
- [Instructions for the desktop wizard](provision-pcs-for-initial-deployment.md)
-- [Instructions for the mobile wizard](../mobile-devices/provisioning-configure-mobile.md)
- [Instructions for the kiosk wizard](../kiosk-single-app.md#wizard)
- [Instructions for the HoloLens wizard](/hololens/hololens-provisioning#wizard)
@@ -100,68 +112,62 @@ The following table describes settings that you can configure using the wizards
The following table provides some examples of settings that you can configure using the Windows Configuration Designer advanced editor to create provisioning packages.
-| Customization options | Examples |
-|--------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------|
+| Customization options | Examples |
+|---|---|
| Bulk Active Directory join and device name | Join devices to Active Directory domain and assign device names using hardware-specific serial numbers or random characters |
-| Applications | Windows apps, line-of-business applications |
-| Bulk enrollment into MDM | Automatic enrollment into a third-party MDM service\* |
-| Certificates | Root certification authority (CA), client certificates |
-| Connectivity profiles | Wi-Fi, proxy settings, Email |
-| Enterprise policies | Security restrictions (password, device lock, camera, and so on), encryption, update settings |
-| Data assets | Documents, music, videos, pictures |
-| Start menu customization | Start menu layout, application pinning |
-| Other | Home and lock screen wallpaper, computer name, domain join, DNS settings, and so on |
-
-\* Using a provisioning package for auto-enrollment to Microsoft Endpoint Manager is not supported. Use the Configuration Manager console to enroll devices.
-
+| Applications | Windows apps, line-of-business applications |
+| Bulk enrollment into MDM | Automatic enrollment into a third-party MDM service Step Description Desktop wizard Mobile wizard Kiosk wizard HoloLens wizard Set up device Assign device name,enter product key to upgrade Windows,configure shared used,remove pre-installed software 
(Only device name and upgrade key)Set up network Connect to a Wi-Fi network Account management Enroll device in Active Directory,enroll device in Azure Active Directory,or create a local administrator account 
Bulk Enrollment in Azure AD Enroll device in Azure Active DirectoryBefore you use a Windows Configuration Designer wizard to configure bulk Azure AD enrollment, set up Azure AD join in your organization. Add applications Install applications using the provisioning package. Add certificates Include a certificate file in the provisioning package. Configure kiosk account and app Create local account to run the kiosk mode app,specify the app to run in kiosk mode Configure kiosk common settings Set tablet mode,configure welcome and shutdown screens,turn off timeout settings Developer Setup Enable Developer Mode.
Using a provisioning package for auto-enrollment to Microsoft Endpoint Manager isn't supported. To enroll devices, use the Configuration Manager console. |
+| Certificates | Root certification authority (CA), client certificates |
+| Connectivity profiles | Wi-Fi, proxy settings, Email |
+| Enterprise policies | Security restrictions (password, device lock, camera, and so on), encryption, update settings |
+| Data assets | Documents, music, videos, pictures |
+| Start menu customization | Start menu layout, application pinning |
+| Other | Home and lock screen wallpaper, computer name, domain join, DNS settings, and so on |
For details about the settings you can customize in provisioning packages, see [Windows Provisioning settings reference]( https://go.microsoft.com/fwlink/p/?LinkId=619012).
-## Changes to provisioning in Windows 10, version 1607
+
-> [!NOTE]
-> This section is retained for customers using Windows 10, version 1607, on the Current Branch for Business. Some of this information is not applicable in Windows 10, version 1703.
+
+
-Windows ICD for Windows 10, version 1607, simplified common provisioning scenarios.
+WCD, simplified common provisioning scenarios.
-
+:::image type="content" source="../images/icd.png" alt-text="Configuration Designer options":::
-Windows ICD in Windows 10, version 1607, supported the following scenarios for IT administrators:
+WCD supports the following scenarios for IT administrators:
-* **Simple provisioning** – Enables IT administrators to define a desired configuration in Windows ICD and then apply that configuration on target devices. The simple provisioning wizard makes the entire process quick and easy by guiding an IT administrator through common configuration settings in a step-by-step manner.
+* **Simple provisioning** – Enables IT administrators to define a desired configuration in WCD and then apply that configuration on target devices. The simple provisioning wizard makes the entire process quick and easy by guiding an IT administrator through common configuration settings in a step-by-step manner.
-[Learn how to use simple provisioning to configure Windows 10 computers.](provision-pcs-for-initial-deployment.md)
+[Learn how to use simple provisioning to configure Windows computers.](provision-pcs-for-initial-deployment.md)
-* **Advanced provisioning (deployment of classic (Win32) and Universal Windows Platform (UWP) apps, and certificates)** – Allows an IT administrator to use Windows ICD to open provisioning packages in the advanced settings editor and include apps for deployment on end-user devices.
+* **Advanced provisioning (deployment of classic (Win32) and Universal Windows Platform (UWP) apps, and certificates)** – Allows an IT administrator to use WCD to open provisioning packages in the advanced settings editor and include apps for deployment on end-user devices.
-* **Mobile device enrollment into management** - Enables IT administrators to purchase off-the-shelf retail Windows 10 Mobile devices and enroll them into mobile device management (MDM) before handing them to end-users in the organization. IT administrators can use Windows ICD to specify the management end-point and apply the configuration on target devices by connecting them to a Windows PC (tethered deployment) or through an SD card. Supported management end-points include:
+* **Mobile device enrollment into management** - Enables IT administrators to purchase off-the-shelf retail Windows devices and enroll them into mobile device management (MDM) before handing them to end users in the organization. IT administrators can use WCD to specify the management endpoint and apply the configuration on target devices by connecting them to a Windows PC (tethered deployment) or through an SD card. Supported management end-points include:
- * Microsoft Intune (certificate-based enrollment)
- * AirWatch (password-string based enrollment)
- * Mobile Iron (password-string based enrollment)
- * Other MDMs (cert-based enrollment)
+ - Microsoft Intune (certificate-based enrollment)
+ - AirWatch (password-string based enrollment)
+ - MobileIron (password-string based enrollment)
+ - Other MDMs (cert-based enrollment)
-> [!NOTE]
-> Windows ICD in Windows 10, version 1607, also provided a wizard to create provisioning packages for school PCs. To learn more, see [Set up students' PCs to join domain](/education/windows/).
+
+
## Learn more
-For more information about provisioning, watch the following videos:
+For more information about provisioning, watch the following video:
-- [Provisioning Windows 10 devices with new tools](https://go.microsoft.com/fwlink/p/?LinkId=615921)
+- [Provisioning Windows client devices with new tools](https://go.microsoft.com/fwlink/p/?LinkId=615921)
-- [Windows 10 for Mobile Devices: Provisioning Is Not Imaging](https://go.microsoft.com/fwlink/p/?LinkId=615922)
+## Related articles
-## Related topics
-
-- [How provisioning works in Windows 10](provisioning-how-it-works.md)
+- [How provisioning works in Windows client](provisioning-how-it-works.md)
- [Install Windows Configuration Designer](provisioning-install-icd.md)
- [Create a provisioning package](provisioning-create-package.md)
- [Apply a provisioning package](provisioning-apply-package.md)
- [Settings changed when you uninstall a provisioning package](provisioning-uninstall-package.md)
- [Provision PCs with common settings for initial deployment (simple provisioning)](provision-pcs-for-initial-deployment.md)
- [Use a script to install a desktop app in provisioning packages](provisioning-script-to-install-app.md)
-- [PowerShell cmdlets for provisioning Windows 10 (reference)](provisioning-powershell.md)
+- [PowerShell cmdlets for provisioning Windows client (reference)](provisioning-powershell.md)
- [Windows Configuration Designer command-line interface (reference)](provisioning-command-line.md)
- [Create a provisioning package with multivariant settings](provisioning-multivariant.md)
-- [Use Windows Configuration Designer to configure Windows 10 Mobile devices](../mobile-devices/provisioning-configure-mobile.md)
\ No newline at end of file
diff --git a/windows/configuration/provisioning-packages/provisioning-powershell.md b/windows/configuration/provisioning-packages/provisioning-powershell.md
index 4ed15d47fc..50e9c56a1e 100644
--- a/windows/configuration/provisioning-packages/provisioning-powershell.md
+++ b/windows/configuration/provisioning-packages/provisioning-powershell.md
@@ -1,6 +1,6 @@
---
-title: PowerShell cmdlets for provisioning Windows 10 (Windows 10)
-description:
+title: PowerShell cmdlets for provisioning Windows 10/11 (Windows 10/11)
+description: Learn more about the Windows PowerShell cmdlets that you can use with Provisioning packages on Windows10/11 client desktop devices.
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
@@ -8,32 +8,68 @@ author: greg-lindsay
ms.author: greglin
ms.topic: article
ms.localizationpriority: medium
-ms.date: 07/27/2017
-ms.reviewer:
+ms.reviewer: gkomatsu
manager: dansimp
---
-# PowerShell cmdlets for provisioning Windows 10 (reference)
+# PowerShell cmdlets for provisioning Windows client (reference)
**Applies to**
- Windows 10
-- Windows 10 Mobile
+- Windows 11
-Windows 10, version 1703, ships with Windows Provisioning PowerShell cmdlets. These cmdlets make it easy to script the following functions.
+Windows client includes Provisioning PowerShell cmdlets. These cmdlets make it easy to script the following functions.
+## cmdlets
+- **Add-ProvisioningPackage**: Applies a provisioning package.
-
+ Syntax:
+
+ - `Add-ProvisioningPackage [-Path] Cmdlet Use this cmdlet to Syntax Add-ProvisioningPackage Apply a provisioning package Add-ProvisioningPackage [-Path] <string> [-ForceInstall] [-LogsFolder <string>] [-QuietInstall] [-WprpFile <string>] [<CommonParameters>]Remove-ProvisioningPackage Remove a provisioning package Remove-ProvisioningPackage -PackageId <string> [-LogsFolder <string>] [-WprpFile <string>] [<CommonParameters>] Remove-ProvisioningPackage -Path <string> [-LogsFolder <string>] [-WprpFile <string>] [<CommonParameters>] Remove-ProvisioningPackage -AllInstalledPackages [-LogsFolder <string>] [-WprpFile <string>] [<CommonParameters>] Get-ProvisioningPackage Get information about an installed provisioning package Get-ProvisioningPackage -PackageId <string> [-LogsFolder <string>] [-WprpFile <string>] [<CommonParameters>] Get-ProvisioningPackage -Path <string> [-LogsFolder <string>] [-WprpFile <string>] [<CommonParameters>] Get-ProvisioningPackage -AllInstalledPackages [-LogsFolder <string>] [-WprpFile <string>] [<CommonParameters>] Export-ProvisioningPackage Extract the contents of a provisioning package Export-ProvisioningPackage -PackageId <string> -OutputFolder <string> [-Overwrite] [-AnswerFileOnly] [-LogsFolder <string>] [-WprpFile <string>] [<CommonParameters>] Export-ProvisioningPackage -Path <string> -OutputFolder <string> [-Overwrite] [-AnswerFileOnly] [-LogsFolder <string>] [-WprpFile <string>] [<CommonParameters>] Install-TrustedProvisioningCertificate Adds a certificate to the Trusted Certificate store Install-TrustedProvisioningCertificate <path to local certificate file on disk> Get-TrustedProvisioningCertificate List all installed trusted provisioning certificates; use this cmdlet to get the certificate thumbprint to use with the Uninstall-TrustedProvisioningCertificate cmdlet Get-TrustedProvisioningCertificateUninstall-TrustedProvisioningCertificate Remove a previously installed provisioning certificate Uninstall-TrustedProvisioningCertificate <thumbprint>
- Prevents users from changing power settings
- Turns off hibernate
- Overrides all power state transitions to sleep (e.g. lid close) |
| Customization: SignInOnResume | This setting specifies if the user is required to sign in with a password when the PC wakes from sleep. |
| Customization: SleepTimeout | Specifies all timeouts for when the PC should sleep. Enter the amount of idle time in seconds. If you don't set sleep timeout, the default of 1 hour applies. |
@@ -83,7 +84,7 @@ Shared PC mode exposes a set of customizations to tailor the behavior to your re
You can configure Windows to be in shared PC mode in a couple different ways:
-- Mobile device management (MDM): Shared PC mode is enabled by the [SharedPC configuration service provider (CSP)](/windows/client-management/mdm/sharedpc-csp). To setup a shared device policy for Windows 10 in Intune, complete the following steps:
+- Mobile device management (MDM): Shared PC mode is enabled by the [SharedPC configuration service provider (CSP)](/windows/client-management/mdm/sharedpc-csp). To setup a shared device policy for Windows client in Intune, complete the following steps:
1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
@@ -112,12 +113,12 @@ You can configure Windows to be in shared PC mode in a couple different ways:
11. From this point on, you can configure any additional settings you’d like to be part of this policy, and then follow the rest of the set-up flow to its completion by selecting **Create** after **Step 6**.
-- A provisioning package created with the Windows Configuration Designer: You can apply a provisioning package when you initially set up the PC (also known as the out-of-box-experience or OOBE), or you can apply the provisioning package to a Windows 10 PC that is already in use. The provisioning package is created in Windows Configuration Designer. Shared PC mode is enabled by the [SharedPC configuration service provider (CSP)](/windows/client-management/mdm/sharedpc-csp), exposed in Windows Configuration Designer as **SharedPC**.
+- A provisioning package created with the Windows Configuration Designer: You can apply a provisioning package when you initially set up the PC (also known as the out-of-box-experience or OOBE), or you can apply the provisioning package to a Windows client that's already in use. The provisioning package is created in Windows Configuration Designer. Shared PC mode is enabled by the [SharedPC configuration service provider (CSP)](/windows/client-management/mdm/sharedpc-csp), exposed in Windows Configuration Designer as **SharedPC**.
- WMI bridge: Environments that use Group Policy can use the [MDM Bridge WMI Provider](/windows/win32/dmwmibridgeprov/mdm-bridge-wmi-provider-portal) to configure the [MDM_SharedPC class](/windows/win32/dmwmibridgeprov/mdm-sharedpc). For all device settings, the WMI Bridge client must be executed under local system user; for more information, see [Using PowerShell scripting with the WMI Bridge Provider](/windows/client-management/mdm/using-powershell-scripting-with-the-wmi-bridge-provider). For example, open PowerShell as an administrator and enter the following:
-
+
```powershell
$sharedPC = Get-CimInstance -Namespace "root\cimv2\mdm\dmmap" -ClassName "MDM_SharedPC"
$sharedPC.EnableSharedPCMode = $True
diff --git a/windows/configuration/setup-digital-signage.md b/windows/configuration/setup-digital-signage.md
index 80bbd5b7da..d545a5cc63 100644
--- a/windows/configuration/setup-digital-signage.md
+++ b/windows/configuration/setup-digital-signage.md
@@ -1,8 +1,8 @@
---
-title: Set up digital signs on Windows 10 (Windows 10)
-description: A single-use device such as a digital sign is easy to set up in Windows 10 (Pro, Enterprise, and Education).
+title: Set up digital signs on Windows 10/11
+description: A single-use device such as a digital sign is easy to set up in Windows 10 and Windows 11 (Pro, Enterprise, and Education).
ms.assetid: 428680AE-A05F-43ED-BD59-088024D1BFCC
-ms.reviewer:
+ms.reviewer: sybruckm
manager: dansimp
ms.author: greglin
keywords: ["assigned access", "kiosk", "lockdown", "digital sign", "digital signage", "kiosk browser", "browser"]
@@ -11,31 +11,30 @@ ms.mktglfcycl: manage
ms.sitesec: library
author: greg-lindsay
ms.localizationpriority: medium
-ms.date: 10/02/2018
+ms.date: 09/20/2021
ms.topic: article
---
-# Set up digital signs on Windows 10
-
+# Set up digital signs on Windows 10/11
**Applies to**
-- Windows 10 Pro, Enterprise, and Education
+- Windows 10 Pro, Enterprise, and Education
+- Windows 11
Digital signage can be a useful and exciting business tool. Use digital signs to showcase your products and services, to display testimonials, or to advertise promotions and campaigns. A digital sign can be a static display, such as a building directory or menu, or it can be dynamic, such as repeating videos or a social media feed.
-For digital signage, simply select a digital sign player as your kiosk app. You can also use [Microsoft Edge in kiosk mode](/microsoft-edge/deploy/microsoft-edge-kiosk-mode-deploy) or the Kiosk Browser app (a new Microsoft app for Windows 10, version 1803) and configure it to show your online content.
+For digital signage, simply select a digital sign player as your kiosk app. You can also use [Microsoft Edge in kiosk mode](/microsoft-edge/deploy/microsoft-edge-kiosk-mode-deploy) or the Kiosk Browser app, and configure it to show your online content.
>[!TIP]
>Kiosk Browser can also be used in [single-app kiosks](kiosk-single-app.md) and [multi-app kiosk](lock-down-windows-10-to-specific-apps.md) as a web browser. For more information, see [Guidelines for web browsers](guidelines-for-assigned-access-app.md#guidelines-for-web-browsers).
-Kiosk Browser must be downloaded for offline licensing using Microsoft Store for Business. You can deploy Kiosk Browser to devices running Windows 10, version 1803.
+Kiosk Browser must be downloaded for offline licensing using Microsoft Store for Business. You can deploy Kiosk Browser to devices running Windows 11, and Windows 10 version 1803+.
>[!NOTE]
>If you haven't set up your Microsoft Store for Business yet, check out [the prerequisites](/microsoft-store/prerequisites-microsoft-store-for-business) and then [sign up](/microsoft-store/sign-up-microsoft-store-for-business).
-
-This procedure explains how to configure digital signage using Kiosk Browser on a device running Windows 10, version 1803, that has already been set up (completed the first-run experience).
+This procedure explains how to configure digital signage using Kiosk Browser on a device running Windows client that has already been set up (completed the first-run experience).
1. [Get **Kiosk Browser** in Microsoft Store for Business with offline, unencoded license type.](/microsoft-store/acquire-apps-microsoft-store-for-business#acquire-apps)
2. [Download the **Kiosk Browser** package, license file, and all required frameworks.](/microsoft-store/distribute-offline-apps#download-an-offline-licensed-app)
@@ -43,24 +42,24 @@ This procedure explains how to configure digital signage using Kiosk Browser on
3. Open Windows Configuration Designer and select **Provision kiosk devices**.
4. Enter a friendly name for the project, and select **Finish**.
5. On **Set up device**, select **Disabled**, and select **Next**.
-6. On **Set up network**, enable network setup.
+6. On **Set up network**, enable network setup:
- Toggle **On** wireless network connectivity.
- Enter the SSID, the network type (**Open** or **WPA2-Personal**), and (if **WPA2-Personal**) the password for the wireless network.
7. On **Account management**, select **Disabled**, and select **Next**.
-8. On **Add applications**, select **Add an application**.
+8. On **Add applications**, select **Add an application**:
- For **Application name**, enter `Kiosk Browser`.
- For **Installer path**, browse to and select the AppxBundle that you downloaded from Microsoft Store for Business. After you select the package, additional fields are displayed.
- For **License file path**, browse to and select the XML license file that you downloaded from Microsoft Store for Business.
- The **Package family name** is populated automatically.
- Select **Next**.
9. On **Add certificates**, select **Next**.
-10. On **Configure kiosk account and app**, toggle **Yes** to create a local user account for your digital signage.
+10. On **Configure kiosk account and app**, toggle **Yes** to create a local user account for your digital signage:
- Enter a user name and password, and toggle **Auto sign-in** to **Yes**.
- Under **Configure the kiosk mode app**, enter the user name for the account that you're creating.
- For **App type**, select **Universal Windows App**.
- In **Enter the AUMID for the app**, enter `Microsoft.KioskBrowser_8wekyb3d8bbwe!App`.
11. In the bottom left corner of Windows Configuration Designer, select **Switch to advanced editor**.
-12. Go to **Runtime settings** > **Policies** > **KioskBrowser**. Let's assume that the URL for your digital signage content is contoso.com/menu.
+12. Go to **Runtime settings** > **Policies** > **KioskBrowser**. Let's assume that the URL for your digital signage content is contoso.com/menu:
- In **BlockedUrlExceptions**, enter `https://www.contoso.com/menu`.
- In **BlockedUrl**, enter `*`.
- In **DefaultUrl**, enter `https://www.contoso.com/menu`.
@@ -79,16 +78,3 @@ This procedure explains how to configure digital signage using Kiosk Browser on
20. Copy the .ppkg file to a USB drive.
21. Attach the USB drive to the device that you want to use for your digital sign.
22. Go to **Settings** > **Accounts** > **Access work or school** > **Add or remove a provisioning package** > **Add a package**, and select the package on the USB drive.
-
-
-
-
-
-
-
-
-
-
-
-
-
diff --git a/windows/configuration/supported-csp-start-menu-layout-windows.md b/windows/configuration/supported-csp-start-menu-layout-windows.md
new file mode 100644
index 0000000000..3c2d63c994
--- /dev/null
+++ b/windows/configuration/supported-csp-start-menu-layout-windows.md
@@ -0,0 +1,72 @@
+---
+title: Supported CSP policies to customize Start menu on Windows 11 | Microsoft Docs
+description: See a list of the Policy CSP - Start items that are supported on Windows 11 to customize the Start menu.
+ms.assetid:
+manager: dougeby
+ms.author: mandia
+ms.reviewer: ericpapa
+ms.prod: w11
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: mobile
+author: MandiOhlinger
+ms.localizationpriority: medium
+---
+
+# Supported configuration service provider (CSP) policies for Windows 11 Start menu
+
+**Applies to**:
+
+- Windows 11
+
+The Windows OS exposes CSPs that are used by MDM providers, like [Microsoft Endpoint Manager](/mem/endpoint-manager-overview). In an MDM policy, these CSPs are settings that you configure in a policy. When the policy is ready, you deploy the policy to your devices.
+
+This article lists the CSPs that are available to customize the Start menu for Windows 11 devices. Windows 11 uses the [Policy CSP - Start](/windows/client-management/mdm/policy-csp-start). For more general information, see [Configuration service provider (CSP) reference](/windows/client-management/mdm/configuration-service-provider-reference).
+
+For information on customizing the Start menu layout using policy, see [Customize the Start menu layout on Windows 11](customize-start-menu-layout-windows-11.md).
+
+## Existing Windows CSP policies that Windows 11 supports
+
+- [Start/AllowPinnedFolderDocuments](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderdocuments)
+- [Start/AllowPinnedFolderDownloads](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderfileexplorer)
+- [Start/AllowPinnedFolderFileExplorer](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderhomegroup)
+- [Start/AllowPinnedFolderHomeGroup](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderhomegroup)
+- [Start/AllowPinnedFolderMusic](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfoldermusic)
+- [Start/AllowPinnedFolderNetwork](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfoldernetwork)
+- [Start/AllowPinnedFolderPersonalFolder](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderpersonalfolder)
+- [Start/AllowPinnedFolderPictures](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfolderpictures)
+- [Start/AllowPinnedFolderSettings](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfoldersettings)
+- [Start/AllowPinnedFolderVideos](/windows/client-management/mdm/policy-csp-start#start-allowpinnedfoldervideos)
+- [Start/HideChangeAccountSettings](/windows/client-management/mdm/policy-csp-start#start-hidechangeaccountsettings)
+- [Start/HideHibernate](/windows/client-management/mdm/policy-csp-start#start-hidehibernate)
+- [Start/HideLock](/windows/client-management/mdm/policy-csp-start#start-hidelock)
+- [Start/HidePowerButton](/windows/client-management/mdm/policy-csp-start#start-hidepowerbutton)
+- [Start/HideRestart](/windows/client-management/mdm/policy-csp-start#start-hiderestart)
+- [Start/HideShutDown](/windows/client-management/mdm/policy-csp-start#start-hideshutdown)
+- [Start/HideSignOut](/windows/client-management/mdm/policy-csp-start#start-hidesignout)
+- [Start/HideSleep](/windows/client-management/mdm/policy-csp-start#start-hidesleep)
+- [Start/HideSwitchAccount](/windows/client-management/mdm/policy-csp-start#start-hideswitchaccount)
+- [Start/HideUserTile](/windows/client-management/mdm/policy-csp-start#start-hideusertile)
+- [Start/HideRecentJumplists](/windows/client-management/mdm/policy-csp-start#start-hiderecentjumplists)
+- [Start/NoPinningToTaskbar](/windows/client-management/mdm/policy-csp-start#start-nopinningtotaskbar)
+- **Start/ShowOrHideMostUsedApps**: New policy starting with Windows 11. This policy enforces always showing Most Used Apps, or always hiding Most Used Apps in the Start menu. If you use this policy, the [Start/HideFrequentlyUsedApps](/windows/client-management/mdm/policy-csp-start#start-hidefrequentlyusedapps) policy is ignored.
+
+ The [Start/HideFrequentlyUsedApps](/windows/client-management/mdm/policy-csp-start#start-hidefrequentlyusedapps) policy enforces hiding Most Used Apps on the Start menu. You can't use this policy to enforce always showing Most Used Apps on the Start menu.
+
+## Existing CSP policies that Windows 11 doesn't support
+
+- [Start/StartLayout](/windows/client-management/mdm/policy-csp-start#start-startlayout)
+ - Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Start Layout`
+
+- [Start/HideRecentlyAddedApps](/windows/client-management/mdm/policy-csp-start#start-hiderecentlyaddedapps)
+ - Group policy: `Computer Configuration\Administrative Templates\Start Menu and Taskbar\Remove "Recently added" list from Start Menu`
+
+- [Start/HideAppList](/windows/client-management/mdm/policy-csp-start#start-hideapplist)
+ - Group policy:
+ - `Computer Configuration\Administrative Templates\Start Menu and Taskbar\Remove All Programs list from the Start menu`
+ - `User Configuration\Administrative Templates\Start Menu and Taskbar\Remove All Programs list from the Start menu`
+
+- [Start/DisableContextMenus](/windows/client-management/mdm/policy-csp-start#start-disablecontextmenus)
+ - Group policy:
+ - `Computer Configuration\Administrative Templates\Start Menu and Taskbar\Disable context menus in the Start Menu`
+ - `User Configuration\Administrative Templates\Start Menu and Taskbar\Disable context menus in the Start Menu`
diff --git a/windows/configuration/supported-csp-taskbar-windows.md b/windows/configuration/supported-csp-taskbar-windows.md
new file mode 100644
index 0000000000..2d7577e32a
--- /dev/null
+++ b/windows/configuration/supported-csp-taskbar-windows.md
@@ -0,0 +1,67 @@
+---
+title: Supported CSP policies to customize the Taskbar on Windows 11 | Microsoft Docs
+description: See a list of the Policy CSP - Start items that are supported on Windows 11 to customize the Taskbar.
+ms.assetid:
+manager: dougeby
+ms.author: mandia
+ms.reviewer: chataylo
+ms.prod: w11
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: mobile
+author: MandiOhlinger
+ms.localizationpriority: medium
+---
+
+# Supported configuration service provider (CSP) policies for Windows 11 taskbar
+
+**Applies to**:
+
+- Windows 11
+
+The Windows OS exposes CSPs that are used by MDM providers, like [Microsoft Endpoint Manager](/mem/endpoint-manager-overview). In an MDM policy, these CSPs are settings that you configure. When the policy is ready, you deploy the policy to your devices.
+
+This article lists the CSPs that are available to customize the Taskbar for Windows 11 devices. Windows 11 uses the [Policy CSP - Start](/windows/client-management/mdm/policy-csp-start).
+
+For more general information, see [Configuration service provider (CSP) reference](/windows/client-management/mdm/configuration-service-provider-reference).
+
+## Existing CSP policies that Windows 11 taskbar supports
+
+- [Start/HideRecentJumplists CSP](/windows/client-management/mdm/policy-csp-start#start-hiderecentjumplists)
+ - Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Do not keep history of recently opened documents`
+ - Local setting: Settings > Personalization > Start > Show recently opened items in Jump Lists on Start or the taskbar
+
+- [Start/NoPinningToTaskbar](/windows/client-management/mdm/policy-csp-start#start-nopinningtotaskbar)
+ - Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Do not allow pinning programs to the Taskbar`
+ - Local setting: None
+
+## Existing CSP policies that Windows 11 doesn't support
+
+The following list includes some of the CSP policies that aren't supported on Windows 11:
+
+- [TaskbarLockAll CSP](/windows/client-management/mdm/policy-csp-admx-taskbar#admx-taskbar-taskbarlockall)
+ - Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Lock all taskbar settings`
+
+- [TaskbarNoAddRemoveToolbar CSP](/windows/client-management/mdm/policy-csp-admx-taskbar#admx-taskbar-taskbarnoaddremovetoolbar)
+ - Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Prevent users from adding or removing toolbars`
+
+- [TaskbarNoDragToolbar CSP](/windows/client-management/mdm/policy-csp-admx-taskbar#admx-taskbar-taskbarnodragtoolbar)
+ - Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Prevent users from rearranging toolbars`
+
+- [TaskbarNoRedock CSP](/windows/client-management/mdm/policy-csp-admx-taskbar#admx-taskbar-taskbarnoredock)
+ - Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Prevent users from moving taskbar to another screen dock location`
+
+- [TaskbarNoResize CSP](/windows/client-management/mdm/policy-csp-admx-taskbar#admx-taskbar-taskbarnoresize)
+ - Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Prevent users from resizing the taskbar`
+
+- [NoToolbarsOnTaskbar CSP](/windows/client-management/mdm/policy-csp-admx-startmenu#admx-startmenu-notoolbarsontaskbar)
+ - Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Do not display any custom toolbars in the taskbar`
+
+- [NoTaskGrouping CSP](/windows/client-management/mdm/policy-csp-admx-startmenu#admx-startmenu-notaskgrouping)
+ - Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Prevent grouping of taskbar items`
+
+- [HidePeopleBar CSP](/windows/client-management/mdm/policy-csp-start#start-hidepeoplebar)
+ - Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Remove the People Bar from the taskbar`
+
+- [QuickLaunchEnabled CSP](/windows/client-management/mdm/policy-csp-admx-startmenu#admx-startmenu-quicklaunchenabled)
+ - Group policy: `User Configuration\Administrative Templates\Start Menu and Taskbar\Show QuickLaunch on Taskbar`
diff --git a/windows/configuration/ue-v/uev-changing-the-frequency-of-scheduled-tasks.md b/windows/configuration/ue-v/uev-changing-the-frequency-of-scheduled-tasks.md
index 95f6808caf..43910cf8eb 100644
--- a/windows/configuration/ue-v/uev-changing-the-frequency-of-scheduled-tasks.md
+++ b/windows/configuration/ue-v/uev-changing-the-frequency-of-scheduled-tasks.md
@@ -158,7 +158,7 @@ schtasks /change /tn "Microsoft\UE-V\Template Auto Update" /ri 60
The following chart provides additional information about scheduled tasks for UE-V 2:
-
+
diff --git a/windows/deployment/usmt/usmt-conflicts-and-precedence.md b/windows/deployment/usmt/usmt-conflicts-and-precedence.md
index fdb0e895c5..c7dc4a18ce 100644
--- a/windows/deployment/usmt/usmt-conflicts-and-precedence.md
+++ b/windows/deployment/usmt/usmt-conflicts-and-precedence.md
@@ -414,7 +414,7 @@ For this example, the following table describes the resulting behavior if you ad
Figure 7a - Windows 10 Pro activation in Settings
-Windows 10 Pro activation is required before Enterprise E3 or E5 can be enabled (Windows 10, versions 1703 and 1709 only).
-
+Windows 10/11 Pro activation is required before Enterprise E3 or E5 can be enabled (Windows 10, versions 1703 and 1709 only).
### Step 3: Sign in using Azure AD account
@@ -197,35 +189,33 @@ Once the device is joined to your Azure AD subscription, the user will sign in b
### Step 4: Verify that Enterprise edition is enabled
-You can verify the Windows 10 Enterprise E3 or E5 subscription in **Settings > Update & Security > Activation**, as illustrated in **Figure 9**.
+You can verify the Windows 10/11 Enterprise E3 or E5 subscription in **Settings > Update & Security > Activation**, as illustrated in **Figure 9**.
**Figure 9 - Windows 10 Enterprise subscription in Settings**
+If there are any problems with the Windows 10/11 Enterprise E3 or E5 license or the activation of the license, the **Activation** panel will display the appropriate error message or status. You can use this information to help you diagnose the licensing and activation process.
-If there are any problems with the Windows 10 Enterprise E3 or E5 license or the activation of the license, the **Activation** panel will display the appropriate error message or status. You can use this information to help you diagnose the licensing and activation process.
-
->[!NOTE]
->If you use slmgr /dli or /dlv commands to retrieve the activation information for the Windows 10 E3 or E5 license, the license information displayed will be the following:
->Name: Windows(R), Professional edition
->Description: Windows(R) Operating System, RETAIL channel
->Partial Product Key: 3V66T
+> [!NOTE]
+> If you use slmgr /dli or /dlv commands to retrieve the activation information for the Windows 10 E3 or E5 license, the license information displayed will be the following:
+> Name: Windows(R), Professional edition
+> Description: Windows(R) Operating System, RETAIL channel
+> Partial Product Key: 3V66T
## Virtual Desktop Access (VDA)
-Subscriptions to Windows 10 Enterprise are also available for virtualized clients. Windows 10 Enterprise E3 and E5 are available for Virtual Desktop Access (VDA) in Windows Azure or in another [qualified multitenant hoster](https://aka.ms/qmth).
+Subscriptions to Windows 10/11 Enterprise are also available for virtualized clients. Windows 10/11 Enterprise E3 and E5 are available for Virtual Desktop Access (VDA) in Windows Azure or in another [Qualified Multitenant Hoster](https://download.microsoft.com/download/3/D/4/3D445779-2870-4E3D-AFCB-D35D2E1BC095/QMTH%20Authorized%20Partner%20List.pdf) (PDF download).
Virtual machines (VMs) must be configured to enable Windows 10 Enterprise subscriptions for VDA. Active Directory-joined and Azure Active Directory-joined clients are supported. See [Enable VDA for Enterprise Subscription Activation](vda-subscription-activation.md).
## Troubleshoot the user experience
-In some instances, users may experience problems with the Windows 10 Enterprise E3 or E5 subscription. The most common problems that users may experience are as follows:
+In some instances, users may experience problems with the Windows 10/11 Enterprise E3 or E5 subscription. The most common problems that users may experience are as follows:
- The existing Windows 10 Pro, version 1703 or 1709 operating system is not activated. This problem does not apply to Windows 10, version 1803 or later.
-
-- The Windows 10 Enterprise E3 or E5 subscription has lapsed or has been removed.
+- The Windows 10/11 Enterprise E3 or E5 subscription has lapsed or has been removed.
Use the following figures to help you troubleshoot when users experience these common problems:
diff --git a/windows/deployment/images/wds-deprecation.png b/windows/deployment/images/wds-deprecation.png
new file mode 100644
index 0000000000..2c6b02022e
Binary files /dev/null and b/windows/deployment/images/wds-deprecation.png differ
diff --git a/windows/deployment/mbr-to-gpt.md b/windows/deployment/mbr-to-gpt.md
index 879fa0f7f0..8ad4b1b6a3 100644
--- a/windows/deployment/mbr-to-gpt.md
+++ b/windows/deployment/mbr-to-gpt.md
@@ -62,7 +62,7 @@ If any of these checks fails, the conversion will not proceed and an error will
## Syntax
-
+
diff --git a/windows/deployment/usmt/understanding-migration-xml-files.md b/windows/deployment/usmt/understanding-migration-xml-files.md
index 1a5ba3389e..e59e727ee5 100644
--- a/windows/deployment/usmt/understanding-migration-xml-files.md
+++ b/windows/deployment/usmt/understanding-migration-xml-files.md
@@ -293,7 +293,7 @@ The MigDocs.xml file calls the **GenerateDocPatterns** function, which takes thr
diff --git a/windows/deployment/planning/features-lifecycle.md b/windows/deployment/planning/features-lifecycle.md
index 333be6284a..6aa1667383 100644
--- a/windows/deployment/planning/features-lifecycle.md
+++ b/windows/deployment/planning/features-lifecycle.md
@@ -1,5 +1,5 @@
---
-title: Windows 10 features lifecycle
+title: Windows client features lifecycle
description: Learn about the lifecycle of Windows 10 features, as well as features that are no longer developed, removed features, and terminology assigned to a feature.
ms.prod: w10
ms.mktglfcycl: plan
@@ -14,9 +14,11 @@ ms.custom: seo-marvel-apr2020
---
# Windows 10 features lifecycle
-- Applies to: Windows 10
+Applies to:
+- Windows 10
+- Windows 11
-Each release of Windows 10 contains many new and improved features. Occasionally we also remove features and functionality, usually because there is a better option.
+Each release of Windows 10 and Windows 11 contains many new and improved features. Occasionally we also remove features and functionality, usually because there is a better option.
## Features no longer being developed
@@ -26,7 +28,7 @@ The following topic lists features that are no longer being developed. These fea
## Features removed
-The following topic has details about features that have been removed from Windows 10.
+The following topics have details about features that have been removed from Windows 10 or Windows 11. This includes features that are present in Windows 10, but are removed in Windows 11.
[Windows 10 features we removed](windows-10-removed-features.md)
diff --git a/windows/deployment/planning/windows-10-deprecated-features.md b/windows/deployment/planning/windows-10-deprecated-features.md
index 72bcfc72c9..c23e505800 100644
--- a/windows/deployment/planning/windows-10-deprecated-features.md
+++ b/windows/deployment/planning/windows-10-deprecated-features.md
@@ -8,7 +8,7 @@ ms.sitesec: library
audience: itpro
author: greg-lindsay
ms.author: greglin
-manager: laurawi
+manager: dougeby
ms.topic: article
---
# Windows 10 features we’re no longer developing
@@ -26,6 +26,7 @@ The features described below are no longer being actively developed, and might b
|Feature | Details and mitigation | Announced in version |
| ----------- | --------------------- | ---- |
+| BitLocker To Go Reader | Reading of BitLocker-protected removable drives ([BitLocker To Go](/windows/security/information-protection/bitlocker/bitlocker-to-go-faq)) from Windows XP or Windows Vista in later operating systems is deprecated and might be removed in a future release of Windows 10/11.MBR2GPT /validate|convert [/disk:<diskNumber>] [/logs:<logDirectory>] [/map:<source>=<destination>] [/allowFullOS]
The following items might not be available in a future release of Windows client:
- ADMX policy: **Allow access to BitLocker-protected removable data drives from earlier versions of Windows**
- Command line parameter: [manage-bde -DiscoveryVolumeType](/windows-server/administration/windows-commands/manage-bde-on) (-dv)
- Catalog file: **c:\windows\BitLockerDiscoveryVolumeContents**
- BitLocker 2 Go Reader app: **bitlockertogo.exe** and associated files | 21H1 |
| Internet Explorer (IE) 11 | The IE11 desktop application will end support for certain operating systems starting June 15, 2022. For more information, see [Internet Explorer 11](/lifecycle/products/internet-explorer-11). | 21H1 |
| Personalization roaming | Roaming of Personalization settings (including wallpaper, slideshow, accent colors, and lock screen images) is no longer being developed and might be removed in a future release. | 21H1 |
| Windows Management Instrumentation Command line (WMIC) tool. | The WMIC tool is deprecated in Windows 10, version 21H1 and the 21H1 semi-annual channel release of Windows Server. This tool is superseded by [Windows PowerShell for WMI](/powershell/scripting/learn/ps101/07-working-with-wmi). Note: This deprecation only applies to the [command-line management tool](/windows/win32/wmisdk/wmic). WMI itself is not affected. | 21H1 |
diff --git a/windows/deployment/update/create-deployment-plan.md b/windows/deployment/update/create-deployment-plan.md
index 2d806516c6..0f7d0795a5 100644
--- a/windows/deployment/update/create-deployment-plan.md
+++ b/windows/deployment/update/create-deployment-plan.md
@@ -13,9 +13,14 @@ ms.topic: article
# Create a deployment plan
+**Applies to**
+
+- Windows 10
+- Windows 11
+
A "service management" mindset means that the devices in your organization fall into a continuum, with the software update process being constantly planned, deployed, monitored, and optimized. And once you use this process for feature updates, quality updates become a lightweight procedure that is simple and fast to execute, ultimately increasing velocity.
-When you move to a service management model, you need effective ways of rolling out updates to representative groups of devices. We’ve found that a ring-based deployment works well for us at Microsoft and many other organizations across the globe. Deployment rings in Windows 10 are similar to the deployment groups most organizations constructed for previous major revision upgrades. They are simply a method to separate devices into a deployment timeline.
+When you move to a service management model, you need effective ways of rolling out updates to representative groups of devices. We’ve found that a ring-based deployment works well for us at Microsoft and many other organizations across the globe. Deployment rings in Windows client are similar to the deployment groups most organizations constructed for previous major revision upgrades. They are simply a method to separate devices into a deployment timeline.
At the highest level, each “ring” comprises a group of users or devices that receive a particular update concurrently. For each ring, IT administrators set criteria to control deferral time or adoption (completion) that should be met before deployment to the next broader ring of devices or users can occur.
@@ -99,8 +104,7 @@ Once the devices in the Limited ring have had a sufficient stabilization period,
In most businesses, the Broad ring includes the rest of your organization. Because of the work in the previous ring to vet stability and minimize disruption (with diagnostic data to support your decision) broad deployment can occur relatively quickly.
> [!NOTE]
-> In some instances, you might hold back on mission critical devices (such as medical devices) until deployment in the Broad ring is complete. Get best practices and recommendations for deploying Windows 10 feature
-> updates to mission critical devices.
+> In some instances, you might hold back on mission-critical devices (such as medical devices) until deployment in the Broad ring is complete. Get best practices and recommendations for deploying Windows client feature updates to mission critical-devices.
During the broad deployment phase, you should focus on the following activities:
@@ -116,7 +120,7 @@ Previously, we have provided methods for analyzing your deployments, but these h
[Desktop Analytics](/mem/configmgr/desktop-analytics/overview) is a cloud-based service and a key tool in [Microsoft Endpoint Manager](/mem/configmgr/core/understand/microsoft-endpoint-manager-faq). Using artificial intelligence and machine learning, Desktop Analytics is a powerful tool to give you insights and intelligence to
make informed decisions about the readiness of your Windows devices.
-In Windows 10 deployments, we have seen compatibility issues on < 0.5% of apps when using Desktop Analytics. Using Desktop Analytics with Microsoft Endpoint Manager can help you assess app compatibility with the latest
+In Windows client deployments, we have seen compatibility issues on < 0.5% of apps when using Desktop Analytics. Using Desktop Analytics with Microsoft Endpoint Manager can help you assess app compatibility with the latest
feature update and create groups that represent the broadest number of hardware and software configurations on the smallest set of devices across your organization. In addition, Desktop Analytics can provide you with a device and software inventory and identify issues, giving you data that equate to actionable decisions.
> [!IMPORTANT]
diff --git a/windows/deployment/update/delivery-optimization-workflow.md b/windows/deployment/update/delivery-optimization-workflow.md
new file mode 100644
index 0000000000..8a493889bd
--- /dev/null
+++ b/windows/deployment/update/delivery-optimization-workflow.md
@@ -0,0 +1,44 @@
+---
+title: Delivery Optimization client-service communication explained
+manager: dougeby
+description: Details of how Delivery Optimization communicates with the server when content is requested to download.
+keywords: updates, downloads, network, bandwidth
+ms.prod: w10
+ms.mktglfcycl: deploy
+audience: itpro
+author: carmenf
+ms.localizationpriority: medium
+ms.author: carmenf
+ms.collection: M365-modern-desktop
+ms.topic: article
+---
+
+# Delivery Optimization client-service communication explained
+
+**Applies to**
+
+- Windows 10
+- Windows 11
+
+## Download request workflow
+
+This workflow allows Delivery Optimization to securely and efficiently deliver requested content to the calling device. Delivery Optimization uses content metadata to determine all available locations to pull content from, as well as content verification.
+
+
+1. When a download starts, the Delivery Optimization client attempts to get its content metadata. This content metadata is a hash file containing the SHA-256 block-level hashes of each piece in the file (typically one piece = 1 MB).
+2. The authenticity of the content metadata file itself is verified prior to any content being downloaded using a hash that is obtained via an SSL channel from the Delivery Optimization service. The same channel is used to ensure the content is curated and authorized to leverage peer-to-peer.
+3. When Delivery Optimization pulls a certain piece of the hash from another peer, it verifies the hash against the known hash in the content metadata file.
+4. If a peer provides an invalid piece, that piece is discarded. When a peer sends multiple bad pieces, it's banned and will no longer be used as a source by the Delivery Optimization client performing the download.
+5. If Delivery Optimization is unable to obtain the content metadata file, or if the verification of the hash file itself fails, the download will fall back to “simple mode” (pulling content only from an HTTP source) and peer-to-peer won't be allowed.
+6. Once downloading is complete, Delivery Optimization uses all retrieved pieces of the content to put the file together. At that point, the Delivery Optimization caller (for example, Windows Update) checks the entire file to verify the signature prior to installing it.
+
+## Delivery Optimization service endpoint and data information
+
+|Endpoint hostname|Port|Name|Description|Data sent from the computer to the endpoint
+|--------------------------------------------|--------|---------------|-----------------------|------------------------|
+| geover-prod.do.dsp.mp.microsoft.com
geo-prod.do.dsp.mp.microsoft.com
geo.prod.do.dsp.mp.microsoft.com
geover.prod.do.dsp.mp.microsoft.com | 443 | Geo | Service used to identify the location of the device in order to direct it to the nearest data center. | **Profile**: The device type (for example, PC or Xbox)
**doClientVersion**: The version of the DoSvc client
**groupID**: Group the device belongs to (set with DownloadMode = '2' (Group download mode) + groupID group policy / MDM policies) |
+| kv\*.prod.do.dsp.mp.microsoft.com | 443| KeyValue | Bootstrap service provides endpoints for all other services as well as device configs. | **countryCode**: The country the client is connected from
**doClientVersion**: The version of the DoSvc client
**Profile**: The device type (for example, PC or Xbox)
**eId**: Client grouping Id
**CacheHost**: Cache host id |
+| cp\*.prod.do.dsp.mp.microsoft.com
| 443 | Content Policy | Provides content specific policies as well as content metadata URLs. | **Profile**: The device type (for example, PC or Xbox)
**ContentId**: The content identifier
**doClientVersion**: The version of the DoSvc client
**countryCode**: The country the client is connected from
**altCatalogId**: If ContentId isn't available, use the download URL instead
**eId**: Client grouping Id
**CacheHost**: Cache host id |
+| disc\*.prod.do.dsp.mp.microsoft.com | 443 | Discovery | Directs clients to a particular instance of the peer matching service (Array), ensuing that clients are collocated by factors, such as content, groupId and external IP. | **Profile**: The device type (for example, PC or Xbox)
**ContentId**: The content identifier
**doClientVersion**: The version of the DoSvc client
**partitionId**: Client partitioning hint
**altCatalogId**: If ContentId isn't available, use the download URL instead
**eId**: Client grouping Id |
+| array\*.prod.do.dsp.mp.microsoft.com | 443 | Arrays | Provides the client with list of peers that have the same content and belong to the same peer group. | **Profile**: The device type (for example, PC or Xbox)
**ContentId**: The content identifier
**doClientVersion**: The version of the DoSvc client
**altCatalogId**: If ContentId isn't available, use the download URL instead
**PeerId**: Identity of the device running DO client
**ReportedIp**: The internal / private IP Address
**IsBackground**: Is the download interactive or background
**Uploaded**: Total bytes uploaded to peers
**Downloaded**: Total bytes downloaded from peers
**DownloadedCdn**: Total bytes downloaded from CDN
**Left**: Bytes left to download
**Peers Wanted**: Total number of peers wanted
**Group Id**: Group the device belongs to (set via DownloadMode 2 + Group ID GP / MDM policies)
**Scope**: The Download mode
**UploadedBPS**: The upload speed in bytes per second
**DownloadBPS**: The download speed in Bytes per second
**eId**: Client grouping Id |
+| dl.delivery.mp.microsoft.com
emdl.ws.microsoft.com | 80 | Delivery Optimization metadata file hosting | CDN hostnames for Delivery Optimization content metadata files | Metadata download can come from different hostnames, but it's required for peer to peer. |
diff --git a/windows/deployment/update/deploy-updates-configmgr.md b/windows/deployment/update/deploy-updates-configmgr.md
index c62f135de1..73f4b8e93f 100644
--- a/windows/deployment/update/deploy-updates-configmgr.md
+++ b/windows/deployment/update/deploy-updates-configmgr.md
@@ -1,6 +1,6 @@
---
-title: Deploy Windows 10 updates with Configuration Manager (Windows 10)
-description: Deploy Windows 10 updates with Configuration Manager
+title: Deploy Windows client updates with Configuration Manager
+description: Deploy Windows client updates with Configuration Manager
ms.prod: w10
ms.mktglfcycl: manage
author: jaimeo
@@ -15,6 +15,7 @@ ms.topic: article
**Applies to**
-- Windows 10
+- Windows 10
+- Windows 11
See the Microsoft Endpoint Manager [documentation](/mem/configmgr/osd/deploy-use/manage-windows-as-a-service) for details about using Configuration Manager to deploy and manage Windows 10 updates.
\ No newline at end of file
diff --git a/windows/deployment/update/deploy-updates-intune.md b/windows/deployment/update/deploy-updates-intune.md
index 5079d8a8f7..e871e5e68c 100644
--- a/windows/deployment/update/deploy-updates-intune.md
+++ b/windows/deployment/update/deploy-updates-intune.md
@@ -1,6 +1,6 @@
---
title: Deploy updates with Intune
-description: Deploy Windows 10 updates with Intune
+description: Deploy Windows client updates with Intune
ms.prod: w10
ms.mktglfcycl: manage
author: jaimeo
@@ -15,6 +15,7 @@ ms.topic: article
**Applies to**
-- Windows 10
+- Windows 10
+- Windows 11
-See the Microsoft Intune [documentation](/mem/intune/protect/windows-update-for-business-configure#windows-10-feature-updates) for details about using Intune to deploy and manage Windows 10 updates.
\ No newline at end of file
+See the Microsoft Intune [documentation](/mem/intune/protect/windows-update-for-business-configure#windows-10-feature-updates) for details about using Intune to deploy and manage Windows client updates.
\ No newline at end of file
diff --git a/windows/deployment/update/deployment-service-overview.md b/windows/deployment/update/deployment-service-overview.md
index 4eca196e15..546749d1dd 100644
--- a/windows/deployment/update/deployment-service-overview.md
+++ b/windows/deployment/update/deployment-service-overview.md
@@ -16,7 +16,10 @@ ms.topic: article
# Windows Update for Business deployment service
-> Applies to: Windows 10
+**Applies to**
+
+- Windows 10
+- Windows 11
The Windows Update for Business deployment service is a cloud service within the Windows Update for Business product family. It provides control over the approval, scheduling, and safeguarding of updates delivered from Windows Update. It's designed to work in harmony with your existing Windows Update for Business policies.
@@ -56,18 +59,18 @@ The deployment service exposes these capabilities through Microsoft [Graph REST
To work with the deployment service, devices must meet all these requirements:
-- Be running Windows 10, version 1709 or later
+- Be running Windows 10, version 1709 or later (or Windows 11)
- Be joined to Azure Active Directory (AD) or Hybrid AD
-- Have one of the following Windows 10 editions installed:
- - Windows 10 Pro
- - Windows 10 Enterprise
- - Windows 10 Education
- - Windows 10 Pro Education
- - Windows 10 Pro for Workstations
+- Have one of the following Windows 10 or Windows 11 editions installed:
+ - Pro
+ - Enterprise
+ - Education
+ - Pro Education
+ - Pro for Workstations
Additionally, your organization must have one of the following subscriptions:
-- Windows 10 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5)
-- Windows 10 Education A3 or A5 (included in Microsoft 365 A3 or A5)
+- Windows 10/11 Enterprise E3 or E5 (included in Microsoft 365 F3, E3, or E5)
+- Windows 10/11 Education A3 or A5 (included in Microsoft 365 A3 or A5)
- Windows Virtual Desktop Access E3 or E5
- Microsoft 365 Business Premium
@@ -78,7 +81,7 @@ To use the deployment service, you use a management tool built on the platform,
### Using Microsoft Endpoint Manager
-Microsoft Endpoint Manager integrates with the deployment service to provide Windows 10 update management capabilities. For more information, see [Windows 10 feature updates policy in Intune](/mem/intune/protect/windows-10-feature-updates).
+Microsoft Endpoint Manager integrates with the deployment service to provide Windows client update management capabilities. For more information, see [Feature updates for Windows 10 and later policy in Intune](/mem/intune/protect/windows-10-feature-updates).
### Scripting common actions using PowerShell
@@ -112,7 +115,7 @@ You should continue to use deployment rings as part of the servicing strategy fo
### Monitoring deployments to detect rollback issues
-During a feature update deployment, driver combinations can sometimes result in an unexpected update failure that makes the device revert to the previously installed operating system version. The deployment service can monitor devices for such issues and automatically pause deployments when this happens, giving you time to detect and mitigate issues.
+During deployments of Windows 11 or Windows 10 feature updates, driver combinations can sometimes result in an unexpected update failure that makes the device revert to the previously installed operating system version. The deployment service can monitor devices for such issues and automatically pause deployments when this happens, giving you time to detect and mitigate issues.
### How to enable deployment protections
@@ -121,38 +124,42 @@ Deployment scheduling controls are always available, but to take advantage of th
#### Device prerequisites
-> [!NOTE]
-> Deployment protections are currently in preview and available if you're using Update Compliance. If you set these policies on a a device that isn't enrolled in Update Compliance, there is no effect.
-
- Diagnostic data is set to *Required* or *Optional*.
- The **AllowWUfBCloudProcessing** policy is set to **8**.
#### Set the **AllowWUfBCloudProcessing** policy
-To enroll devices in Windows Update for Business cloud processing, set the **AllowWUfBCloudProcessing** policy using mobile device management (MDM) policy.
-
-> [!NOTE]
-> Setting this policy by using Group Policy isn't currently supported.
+To enroll devices in Windows Update for Business cloud processing, set the **AllowWUfBCloudProcessing** policy using mobile device management (MDM) policy or Group Policy.
| Policy | Sets registry key under **HKLM\\Software** |
|--------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------|
+| GPO for Windows 10, version 1809 or later: Computer Configuration > Administrative Templates > Windows Components > Data Collection and Preview Builds > **Allow WUfB Cloud Processing** | \\Policies\\Microsoft\\Windows\\DataCollection\\AllowWUfBCloudProcessing |
| MDM for Windows 10, version 1809 or later: ../Vendor/MSFT/ Policy/Config/System/**AllowWUfBCloudProcessing** | \\Microsoft\\PolicyManager\\default\\System\\AllowWUfBCloudProcessing |
Following is an example of setting the policy using Microsoft Endpoint Manager:
1. Sign in to the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431).
+
2. Select **Devices** > **Configuration profiles** > **Create profile**.
+
3. Select **Windows 10 and later** in **Platform**, select **Templates** in **Profile type**, select **Custom** in **Template name**, and then select **Create**.
+
4. In **Basics**, enter a meaningful name and a description for the policy, and then select **Next**.
+
5. In **Configuration settings**, select **Add**, enter the following settings, select **Save**, and then select **Next**.
- Name: **AllowWUfBCloudProcessing**
- Description: Enter a description.
- OMA-URI: `./Vendor/MSFT/Policy/Config/System/AllowWUfBCloudProcessing`
- Data type: **Integer**
- Value: **8**
+
6. In **Assignments**, select the groups that will receive the profile, and then select **Next**.
+
7. In **Review + create**, review your settings, and then select **Create**.
-8. (Optional) To verify that the policy reached the client, check the value of the following registry entry: **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager \\default\\System\\AllowWUfBCloudProcessing**.
+
+8. (Optional) To verify that the policy reached the client, check the value of the following registry entry:
+
+ **HKEY\_LOCAL\_MACHINE\\SOFTWARE\\Microsoft\\PolicyManager \\default\\System\\AllowWUfBCloudProcessing**
## Best practices
Follow these suggestions for the best results with the service.
@@ -160,6 +167,7 @@ Follow these suggestions for the best results with the service.
### Device onboarding
- Wait until devices finish provisioning before managing with the service. If a device is being provisioned by Autopilot, it can only be managed by the deployment service after it finishes provisioning (typically one day).
+
- Use the deployment service for feature update management without feature update deferral policy. If you want to use the deployment service to manage feature updates on a device that previously used a feature update deferral policy, it's best to set the feature update deferral policy to **0** days to avoid having multiple conditions governing feature updates. You should only change the feature update deferral policy value to 0 days after you've confirmed that the device was enrolled in the service with no errors.
### General
@@ -171,5 +179,5 @@ Avoid using different channels to manage the same resources. If you use Microsof
To learn more about the deployment service, try the following:
-- [Windows 10 feature updates policy in Intune](/mem/intune/protect/windows-10-feature-updates)
+- [Feature updates for Windows 10 and later policy in Intune](/mem/intune/protect/windows-10-feature-updates)
- [Windows updates API overview in Microsoft Graph](/graph/windowsupdates-concept-overview)
diff --git a/windows/deployment/update/deployment-service-troubleshoot.md b/windows/deployment/update/deployment-service-troubleshoot.md
index 1f9675d1d9..e1b83d057b 100644
--- a/windows/deployment/update/deployment-service-troubleshoot.md
+++ b/windows/deployment/update/deployment-service-troubleshoot.md
@@ -16,7 +16,10 @@ ms.topic: article
# Troubleshoot the Windows Update for Business deployment service
-> Applies to: Windows 10
+**Applies to**
+
+- Windows 10
+- Windows 11
This troubleshooting guide addresses the most common issues that IT administrators face when using the Windows Update for Business [deployment service](deployment-service-overview.md). For a general troubleshooting guide for Windows Update, see [Windows Update troubleshooting](windows-update-troubleshooting.md).
diff --git a/windows/deployment/update/eval-infra-tools.md b/windows/deployment/update/eval-infra-tools.md
index ce3c85e030..1d8974b7b8 100644
--- a/windows/deployment/update/eval-infra-tools.md
+++ b/windows/deployment/update/eval-infra-tools.md
@@ -15,34 +15,39 @@ ms.collection: m365initiative-coredeploy
# Evaluate infrastructure and tools
+**Applies to**
+
+- Windows 10
+- Windows 11
+
Before you deploy an update, it's best to assess your deployment infrastructure (that is, tools such as Configuration Manager, Microsoft Intune, or similar) and current configurations (such as security baselines, administrative templates, and policies that affect updates). Then, set some criteria to define your operational readiness.
## Infrastructure
Do your deployment tools need updates?
-- If you use Configuration Manager, is it on the Current Branch with the latest release installed. Being on this branch ensures that it supports the next Windows 10 feature update. Configuration Manager releases are supported for 18 months.
+- If you use Configuration Manager, is it on the Current Branch with the latest release installed.? Being on this branch ensures that it supports the next Windows client feature update. Configuration Manager releases are supported for 18 months.
- Using a cloud-based management tool like Microsoft Intune reduces support challenges, since no related products need to be updated.
-- If you use a non-Microsoft tool, check with its product support to make sure you're using the current version and that it supports the next Windows 10 feature update.
+- If you use a non-Microsoft tool, check with its product support to make sure you're using the current version and that it supports the next Windows client feature update.
Rely on your experiences and data from previous deployments to help you judge how long infrastructure changes take and identify any problems you've encountered while doing so.
## Device settings
-Make sure your security baseline, administrative templates, and policies have the right settings to support your devices once the new Windows 10 update is installed.
+Make sure your security baseline, administrative templates, and policies have the right settings to support your devices once the new Windows client update is installed.
### Security baseline
-Keep security baselines current to help ensure that your environment is secure and that new security feature in the coming Windows 10 update are set properly.
+Keep security baselines current to help ensure that your environment is secure and that new security feature in the coming Windows client update are set properly.
- **Microsoft security baselines**: You should implement security baselines from Microsoft. They are included in the [Security Compliance Toolkit](https://www.microsoft.com/download/details.aspx?id=55319), along with tools for managing them.
-- **Industry- or region-specific baselines**: Your specific industry or region might have particular baselines that you must follow per regulations. Ensure that any new baselines support the version of Windows 10 you are about to deploy.
+- **Industry- or region-specific baselines**: Your specific industry or region might have particular baselines that you must follow per regulations. Ensure that any new baselines support the version of Windows client you are about to deploy.
### Configuration updates
There are a number of Windows policies (set by Group Policy, Intune, or other methods) that affect when Windows updates are installed, deferral, end-user experience, and many other aspects. Check these policies to make sure they are set appropriately.
-- **Windows 10 Administrative templates**: Each Windows 10 feature update has a supporting Administrative template (.admx) file. Group Policy tools use Administrative template files to populate policy settings in the user interface. The templates are available in the Download Center, for example, this one for [Windows 10, version 1909](https://www.microsoft.com/download/100591).
+- **Windows Administrative templates**: Each Windows client feature update has a supporting Administrative template (.admx) file. Group Policy tools use Administrative template files to populate policy settings in the user interface. The templates are available in the Download Center, for example, this one for [Windows 10, version 1909](https://www.microsoft.com/download/100591).
- **Policies for update compliance and end-user experience**: A number of settings affect when a device installs updates, whether and for how long a user can defer an update, restart behavior after installation, and many other aspects of update behavior. It's especially important to look for existing policies that are out of date or could conflict with new ones.
@@ -50,9 +55,9 @@ There are a number of Windows policies (set by Group Policy, Intune, or other me
When you’ve deployed an update, you’ll need to make sure the update isn’t introducing new operational issues. And you’ll also ensure that if incidents arise, the needed documentation and processes are available. Work with your operations and support team to define acceptable trends and what documents or processes require updating:
-- **Call trend**: Define what percentage increase in calls relating to Windows 10 feature updates are acceptable or can be supported.
-- **Incident trend**: Define what percentage of increase in calls asking for support relating to Windows 10 feature updates are acceptable or can be supported.
-- **Support documentation**: Review supporting documentation that requires an update to support new infrastructure tooling or configuration as part of the Windows 10 feature update.
+- **Call trend**: Define what percentage increase in calls relating to Windows client feature updates are acceptable or can be supported.
+- **Incident trend**: Define what percentage of increase in calls asking for support relating to Windows client feature updates are acceptable or can be supported.
+- **Support documentation**: Review supporting documentation that requires an update to support new infrastructure tooling or configuration as part of the Windows client feature update.
- **Process changes:** Define and update any processes that will change as a result of the Windows 10 feature update.
Your operations and support staff can help you determine if the appropriate information is being tracked at the moment. If it isn't, work out how to get this information so you can gain the right insight.
diff --git a/windows/deployment/update/fod-and-lang-packs.md b/windows/deployment/update/fod-and-lang-packs.md
index fc45328c40..13a811171f 100644
--- a/windows/deployment/update/fod-and-lang-packs.md
+++ b/windows/deployment/update/fod-and-lang-packs.md
@@ -16,15 +16,18 @@ ms.custom: seo-marvel-apr2020
---
# How to make Features on Demand and language packs available when you're using WSUS or Configuration Manager
-> Applies to: Windows 10
+**Applies to**
-In Windows 10 version 21H2, non-Administrator user accounts can add both a display language and its corresponding language features.
+- Windows 10
+- Windows 11
+
+In Windows 10 version 21H2 and later, non-Administrator user accounts can add both a display language and its corresponding language features.
As of Windows 10 version 1709, you can't use Windows Server Update Services (WSUS) to host [Features on Demand](/windows-hardware/manufacture/desktop/features-on-demand-v2--capabilities) (FODs) locally. Starting with Windows 10 version 1803, language packs can no longer be hosted on WSUS.
The **Specify settings for optional component installation and component repair** policy, located under `Computer Configuration\Administrative Templates\System` in the Group Policy Editor, can be used to specify alternate ways to acquire FOD packages, language packages, and content for corruption repair. However, it's important to note this policy only allows specifying one alternate location and behaves differently across OS versions.
-In Windows 10 version 1709 and 1803, changing the **Specify settings for optional component installation and component repair** policy to download content from Windows Update enables acquisition of FOD packages while also enabling corruption repair. Specifying a network location works for either, depending on the content is found at that location. Changing this policy on these OS versions does not influence how language packs are acquired.
+In Windows 10 versions 1709 and 1803, changing the **Specify settings for optional component installation and component repair** policy to download content from Windows Update enables acquisition of FOD packages while also enabling corruption repair. Specifying a network location works for either, depending on the content is found at that location. Changing this policy on these OS versions does not influence how language packs are acquired.
In Windows 10 version 1809 and beyond, changing the **Specify settings for optional component installation and component repair** policy also influences how language packs are acquired, however language packs can only be acquired directly from Windows Update. It's currently not possible to acquire them from a network share. Specifying a network location works for FOD packages or corruption repair, depending on the content at that location.
diff --git a/windows/deployment/update/how-windows-update-works.md b/windows/deployment/update/how-windows-update-works.md
index a926abfb28..1cb0a47bf7 100644
--- a/windows/deployment/update/how-windows-update-works.md
+++ b/windows/deployment/update/how-windows-update-works.md
@@ -15,9 +15,12 @@ ms.topic: article
ms.custom: seo-marvel-apr2020
---
-# How does Windows Update work?
+# How Windows Update works
-> Applies to: Windows 10
+**Applies to**
+
+- Windows 10
+- Windows 11
The Windows Update workflow has four core areas of functionality:
diff --git a/windows/deployment/update/media-dynamic-update.md b/windows/deployment/update/media-dynamic-update.md
index 3758d0c313..01eadf3247 100644
--- a/windows/deployment/update/media-dynamic-update.md
+++ b/windows/deployment/update/media-dynamic-update.md
@@ -16,7 +16,10 @@ ms.topic: article
# Update Windows installation media with Dynamic Update
-**Applies to**: Windows 10, Windows 11
+**Applies to**
+
+- Windows 10
+- Windows 11
This topic explains how to acquire and apply Dynamic Update packages to existing Windows images *prior to deployment* and includes Windows PowerShell scripts you can use to automate this process.
diff --git a/windows/deployment/update/optional-content.md b/windows/deployment/update/optional-content.md
index addb9d4952..cad3343d01 100644
--- a/windows/deployment/update/optional-content.md
+++ b/windows/deployment/update/optional-content.md
@@ -15,9 +15,14 @@ ms.topic: article
# Migrating and acquiring optional Windows content during updates
+**Applies to**
+
+- Windows 10
+- Windows 11
+
This article provides some background on the problem of keeping language resources and Features on Demand during operating system updates and offers guidance to help you move forward in the short term and prepare for the long term.
-When you update the operating system, it’s critical to keep language resources and Features on Demand (FODs). Many commercial organizations use Configuration Manager or other management tools to distribute and orchestrate Windows 10 setup using a local Windows image or WIM file (a “media-based” or “task-sequence-based” update). Others do in-place updates using an approved Windows 10 feature update by using Windows Server Update Services (WSUS), Configuration Manager, or equivalent tools (a "servicing-based” update).
+When you update the operating system, it’s critical to keep language resources and Features on Demand (FODs). Many commercial organizations use Configuration Manager or other management tools to distribute and orchestrate Windows client setup using a local Windows image or WIM file (a “media-based” or “task-sequence-based” update). Others do in-place updates using an approved Windows client feature update by using Windows Server Update Services (WSUS), Configuration Manager, or equivalent tools (a "servicing-based” update).
Neither approach contains the full set of Windows optional features that a user’s device might need, so those features are not migrated to the new operating system. Further, those features are not available in Configuration Manager or WSUS for on-premises acquisition after a feature update
@@ -29,7 +34,7 @@ Optional content includes the following items:
- Language-based and regional FODs (for example, Language.Basic~~~ja-jp~0.0.1.0)
- Local Experience Packs
-Optional content isn’t included by default in the Windows image file that is part of the operating system media available in the Volume Licensing Service Center (VLSC). Instead, it’s released as an additional ISO file on VLSC. Shipping these features out of the operating system media and shipping them separately reduces the disk footprint of Windows. This provides more space for user’s data. It also reduces the time needed to service the operating system, whether installing a monthly quality update or upgrading to a newer version. A smaller default Windows image also means less data to transmit over the network.
+Optional content isn’t included by default in the Windows image file that is part of the operating system media available in the Volume Licensing Service Center (VLSC). Instead, it’s released as an additional ISO file on VLSC. Shipping these features out of the operating system media and shipping them separately reduces the disk footprint of Windows. This approach provides more space for user’s data. It also reduces the time needed to service the operating system, whether installing a monthly quality update or upgrading to a newer version. A smaller default Windows image also means less data to transmit over the network.
## Why is acquiring optional content challenging?
@@ -37,17 +42,17 @@ The challenges surrounding optional content typically fall into two groups:
### Incomplete operating system updates
-The first challenge is related to content migration during a feature update. When Windows Setup performs an in-place update, the new operating is written to the user’s disk alongside the old version. This is a temporary folder, where a second clean operating system is installed and prepared for the user to "move into." When this happens, Windows Setup enumerates optional content installed already in the current version and plans to install the new version of this content in the new operating system.
+The first challenge is related to content migration during a feature update. When Windows Setup performs an in-place update, the new operating system is written to the user’s disk alongside the old version in a temporary folder, where a second clean operating system is installed and prepared for the user to "move into." When operation happens, Windows Setup enumerates optional content installed already in the current version and plans to install the new version of this content in the new operating system.
-Windows Setup needs access to the optional content to do this. Since optional content is not in the Windows image by default, Windows Setup must look elsewhere to get the Windows packages, stage them, and then install them in the new operating system. When the content can’t be found, the result is an update that is missing features on the device, a frustrated end user, and likely a help desk call. This pain point is sometimes referred to "failure to migrate optional content during update." For media-based updates, Windows will automatically try again once the new operating system boots. We call this “latent acquisition.”
+Windows Setup needs access to the optional content. Since optional content is not in the Windows image by default, Windows Setup must look elsewhere to get the Windows packages, stage them, and then install them in the new operating system. When the content can’t be found, the result is an update that is missing features on the device, a frustrated end user, and likely a help desk call. This pain point is sometimes referred to "failure to migrate optional content during update." For media-based updates, Windows will automatically try again once the new operating system boots. We call this “latent acquisition.”
### User-initiated feature acquisition failure
-The second challenge involves a failure to acquire features when a user requests them. Imagine a user running a device with a new version of Windows 10, either by using a clean installation or an in-place update. The user visits Settings, and attempts to install a second language, additional language experience features, or other optional content. Again, since these features are not in the operating system, the packages need to be acquired. For a typical user with internet access, Windows will acquire the features from a nearby Microsoft content delivery network, and everything works as designed. For commercial users, some might not have internet access or have policies to prevent acquisition over the internet. In these situations, Windows must acquire the content from an alternative location. When the content can’t be found, users are frustrated and another help desk call could result. This pain point is sometimes referred to as "failure to acquire optional content.”
+The second challenge involves a failure to acquire features when a user requests them. Imagine a user running a device with a new version of Windows client, either by using a clean installation or an in-place update. The user visits Settings, and attempts to install a second language, more language experience features, or other optional content. Again, since these features are not in the operating system, the packages need to be acquired. For a typical user with internet access, Windows will acquire the features from a nearby Microsoft content delivery network, and everything works as designed. For commercial users, some might not have internet access or have policies to prevent acquisition over the internet. In these situations, Windows must acquire the content from an alternative location. When the content can’t be found, users are frustrated and another help desk call could result. This pain point is sometimes referred to as "failure to acquire optional content.”
## Options for acquiring optional content
-Most commercial organizations understand the pain points outlined above, and discussions typically start with them asking what plans are available to address these challenges. The following table includes multiple options for consideration, depending on how you are currently deploying Windows 10. In this table,
+Most commercial organizations understand the pain points outlined above, and discussions typically start with them asking what plans are available to address these challenges. The following table includes multiple options for consideration, depending on how you are currently deploying Windows client. In this table,
- Migration means it supports optional content migration during an update.
- Acquisition means it supports optional content acquisition (that is, initiated by the user).
@@ -70,30 +75,30 @@ Most commercial organizations understand the pain points outlined above, and dis
Windows Update for Business solves the optional content problem. Optional content is published and available for acquisition by Windows Setup from a nearby Microsoft content delivery network and acquired using the Unified Update Platform. Optional content migration and acquisition scenarios "just work" when the device is connected to an update service that uses the Unified Update Platform, such as Windows Update or Windows Update for Business. If for some reason a language pack fails to install during the update, the update will automatically roll back.
-Starting with Windows 10, version 1709, we introduced the [Unified Update Platform](https://blogs.windows.com/windowsexperience/2016/11/03/introducing-unified-update-platform-uup/). The Unified Update Platform is an improvement in the underlying Windows update technology that results in smaller download sizes and a more efficient protocol for checking for updates, acquiring and installing the packages needed, and getting current in one update step. The technology is "unified" because it brings together the update stack for Windows 10, Windows Server, and other products, such as HoloLens. The Unified Update Platform is not currently integrated with WSUS.
+Starting with Windows 10, version 1709, we introduced the [Unified Update Platform](https://blogs.windows.com/windowsexperience/2016/11/03/introducing-unified-update-platform-uup/). The Unified Update Platform is an improvement in the underlying Windows update technology that results in smaller download sizes and a more efficient protocol for checking for updates, acquiring and installing the packages needed, and getting current in one update step. The technology is "unified" because it brings together the update stack for Windows client, Windows Server, and other products, such as HoloLens. The Unified Update Platform is not currently integrated with WSUS.
-You should consider moving to Windows Update for Business. Not only will the optional content scenario work seamlessly (as it does for consumer devices today), but you also get the full benefits of smaller download sizes also known as Express Updates. Further, devices that use devices are immune to the challenge of upgrading a Windows 10 device where the operating system installation language is inadvertently changed to a new language. Otherwise, any future media-based feature updates can fail when the installation media has a different installation language. See [Upgrading Windows 10 devices with installation media different than the original OS install language](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/upgrading-windows-10-devices-with-installation-media-different/ba-p/746126) for more details, as well as our [Ignite 2019 theater session THR4002](https://medius.studios.ms/video/asset/HIGHMP4/IG19-THR4002) on this topic.
+Consider moving to Windows Update for Business. Not only will the optional content scenario work seamlessly (as it does for consumer devices today), but you also get the full benefits of smaller download sizes also known as Express Updates. Further, devices that use devices are immune to the challenge of upgrading a Windows client device where the operating system installation language is inadvertently changed to a new language. Otherwise, any future media-based feature updates can fail when the installation media has a different installation language. For more info, see [Upgrading Windows 10 devices with installation media different than the original OS install language](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/upgrading-windows-10-devices-with-installation-media-different/ba-p/746126) for more details, and our [Ignite 2019 theater session THR4002](https://medius.studios.ms/video/asset/HIGHMP4/IG19-THR4002) on this topic.
### Option 2: Enable Dynamic Update
-If you’re not ready to move to Windows Update, another option is to enable Dynamic Update during a feature update. As soon as a Windows 10 feature update starts, whether via a media-based update or a WSUS-based feature update, Dynamic Update is one of the first steps invoked. Windows 10 Setup connects to an internet-facing URL hosted by Microsoft to fetch Dynamic Update content, and then applies those updates to the operating system installation media. The content acquired includes the following:
+If you’re not ready to move to Windows Update, another option is to enable Dynamic Update during a feature update. As soon as a Windows feature update starts, whether via a media-based update or a WSUS-based feature update, Dynamic Update is one of the first steps invoked. Windows Setup connects to an internet-facing URL hosted by Microsoft to fetch Dynamic Update content, and then applies those updates to the operating system installation media. The content acquired includes the following:
- Setup updates: Fixes to Setup.exe binaries or any files that Setup uses for feature updates.
- Safe OS updates: Fixes for the "safe OS" that are used to update Windows recovery environment (WinRE).
-- Servicing stack updates: Fixes that are necessary to address the Windows 10 servicing stack issue and thus required to complete the feature update.
+- Servicing stack updates: Fixes that are necessary to address the Windows servicing stack issue and thus required to complete the feature update.
- Latest cumulative update: Installs the latest cumulative quality update.
- Driver updates: Latest version of applicable drivers that have already been published by manufacturers into Windows Update and meant specifically for Dynamic Update.
-In addition to these updates for the new operating system, Dynamic Update will acquire optional content during the update process to ensure that the device has this content present when the update completes. So, although the device is not connected to Windows Update, it will fetch content from a nearby Microsoft content download network (CDN). This addresses the first pain point with optional content, but not user-initiated acquisition. By default, [Dynamic Update](/windows-hardware/manufacture/desktop/windows-setup-command-line-options#dynamicupdate) is enabled by Windows 10 Setup. You can enable or disable Dynamic Update by using the /DynamicUpdate option in Windows Setup. If you use the servicing-based approach, you can set this with setupconfig.ini. See [Windows Setup Automation Overview](/windows-hardware/manufacture/desktop/windows-setup-automation-overview) for details.
+In addition to these updates for the new operating system, Dynamic Update will acquire optional content during the update process to ensure that the device has this content present when the update completes. So, although the device is not connected to Windows Update, it will fetch content from a nearby Microsoft content download network (CDN). This approach addresses the first pain point with optional content, but not user-initiated acquisition. By default, [Dynamic Update](/windows-hardware/manufacture/desktop/windows-setup-command-line-options#dynamicupdate) is enabled by Windows Setup. You can enable or disable Dynamic Update by using the /DynamicUpdate option in Windows Setup. If you use the servicing-based approach, you can set this value with setupconfig.ini. See [Windows Setup Automation Overview](/windows-hardware/manufacture/desktop/windows-setup-automation-overview) for details.
-Starting in Windows 10, version 2004, Dynamic Update can be configured with additional options. For example, you might want to have the benefits of optional content migration without automatically acquiring the latest quality update. You can do that with the /DynamicUpdate NoLCU option of Windows Setup. Afterward, you would separately follow your existing process for testing and approving monthly updates. The downside of this approach is the device will go through an additional reboot for the latest cumulative update since it was not available during the feature update.
+Starting in Windows 10, version 2004, Dynamic Update can be configured with more options. For example, you might want to have the benefits of optional content migration without automatically acquiring the latest quality update. You can do that with the /DynamicUpdate NoLCU option of Windows Setup. Afterward, you would separately follow your existing process for testing and approving monthly updates. The downside of this approach is the device will reboot again for the latest cumulative update since it was not available during the feature update.
-One additional consideration when using Dynamic Update is the impact to your network. One of the top blockers for this approach is the concern that each device will separately fetch this content from Microsoft. Windows 10, version 2004 setup now downloads Dynamic Update content using Delivery Optimization when available.
+One further consideration when using Dynamic Update is the affect on your network. One of the top blockers for this approach is the concern that each device will separately fetch this content from Microsoft. Windows 10, version 2004 setup now downloads Dynamic Update content using Delivery Optimization when available.
For devices that aren’t connected to the internet, a subset of the Dynamic Update content is available by using WSUS and the Microsoft catalog.
### Option 3: Customize the Windows Image before deployment
- For many organizations, the deployment workflow involves a Configuration Manager task sequence that performs a media-based update. Some customers either don’t have internet connectivity, or the connectivity is poor and so they can’t enable Dynamic Update. In these cases, we recommend installing optional content prior to deployment. This is sometimes referred to as customizing the installation media.
+ For many organizations, the deployment workflow involves a Configuration Manager task sequence that performs a media-based update. Some customers either don’t have internet connectivity, or the connectivity is poor and so they can’t enable Dynamic Update. In these cases, we recommend installing optional content prior to deployment. This activity is sometimes referred to as customizing the installation media.
You can customize the Windows image in these ways:
@@ -104,24 +109,24 @@ You can customize the Windows image in these ways:
- Adding or removing languages
- Adding or removing Features on Demand
-The benefit of this option is that the Windows image can include those additional languages, language experience features, and other Features on Demand through one-time updates to the image. Then you can use them in an existing task sequence or custom deployment where Setup.exe is involved. The downside of this approach is that it requires some preparation of the image in advance, including scripting with DISM to install the additional packages. It also means the image is the same for all devices that consume it and might contain more features than some users need. For more information on customizing your media, see [Updating Windows 10 media with Dynamic Update packages](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/updating-windows-10-media-with-dynamic-update-packages/ba-p/982477) and our [Ignite 2019 theater session THR3073](https://medius.studios.ms/video/asset/HIGHMP4/IG19-THR3073). Also like Option 2, you still have a solution for migration of optional content, but not supporting user-initiated optional content acquisition. Also, there is a variation of this option in which media is updated *on the device* just before installation. This allows for device-specific image customization based on what's currently installed.
+The benefit of this option is that the Windows image can include those additional languages, language experience features, and other Features on Demand through one-time updates to the image. Then you can use them in an existing task sequence or custom deployment where Setup.exe is involved. The downside of this approach is that it requires some preparation of the image in advance, including scripting with DISM to install the additional packages. It also means the image is the same for all devices that consume it and might contain more features than some users need. For more information on customizing your media, see [Updating Windows 10 media with Dynamic Update packages](https://techcommunity.microsoft.com/t5/windows-it-pro-blog/updating-windows-10-media-with-dynamic-update-packages/ba-p/982477) and our [Ignite 2019 theater session THR3073](https://medius.studios.ms/video/asset/HIGHMP4/IG19-THR3073). Also like Option 2, you still have a solution for migration of optional content, but not supporting user-initiated optional content acquisition. Also, there is a variation of this option in which media is updated *on the device* just before installation. This option allows for device-specific image customization based on what's currently installed.
### Option 4: Install language features during deployment
-A partial solution to address the first pain point of failing to migrate optional content during upgrade is to inject a subset of optional content during the upgrade process. This approach uses the Windows 10 Setup option [/InstallLangPacks](/windows-hardware/manufacture/desktop/windows-setup-command-line-options#installlangpacks) to add Language Packs and language capabilities such as text-to-speech recognition from a folder that contains the packages. This approach lets an IT pro take a subset of optional content and stage them within their network. If you use the servicing-based approach, you can configure InstallLangPacks using setupconfig.ini. See [Windows Setup Automation Overview](/windows-hardware/manufacture/desktop/windows-setup-automation-overview) for details.
+A partial solution to address the first pain point of failing to migrate optional content during upgrade is to inject a subset of optional content during the upgrade process. This approach uses the Windows Setup option [/InstallLangPacks](/windows-hardware/manufacture/desktop/windows-setup-command-line-options#installlangpacks) to add Language Packs and language capabilities such as text-to-speech recognition from a folder that contains the packages. This approach lets an IT pro take a subset of optional content and stage them within their network. If you use the servicing-based approach, you can configure InstallLangPacks using setupconfig.ini. See [Windows Setup Automation Overview](/windows-hardware/manufacture/desktop/windows-setup-automation-overview) for details.
-When Setup runs, it will inject these packages into the new operating system during installation. This means it can be an alternative to enabling Dynamic Update or customizing the operating system image before deployment. You must take care with this approach, because the packages cannot be renamed. Further, the content is coming from two separate release media ISOs. The key is to copy both the FOD packages and the FOD metadata .cab from the FOD ISO into the folder, as well as the architecture-specific Language Pack .cabs from the LPLIP ISO. Also, starting with Windows 10, version 1903, the behavior changed. In Windows 10, version 1809 and earlier, failure to install the packages wasn’t a fatal error. Starting with Windows 10, version 1903, we treat InstallLangPacks failures as fatal, and roll back the entire upgrade. The idea is to not leave the user in a bad state since media-based upgrades don’t migrate FOD and languages (unless Dynamic Update is enabled).
+When Setup runs, it will inject these packages into the new operating system during installation. It can be an alternative to enabling Dynamic Update or customizing the operating system image before deployment. You must take care with this approach, because the packages cannot be renamed. Further, the content is coming from two separate release media ISOs. The key is to copy both the FOD packages and the FOD metadata .cab from the FOD ISO into the folder, and the architecture-specific Language Pack .cabs from the LPLIP ISO. Also, starting with Windows 10, version 1903, the behavior changed. In Windows 10, version 1809 and earlier, failure to install the packages wasn’t a fatal error. Starting with Windows 10, version 1903, we treat InstallLangPacks failures as fatal, and roll back the entire upgrade. The idea is to not leave the user in a bad state since media-based upgrades don’t migrate FOD and languages (unless Dynamic Update is enabled).
-This approach has some interesting benefits. The original Windows image doesn’t need to be modified, possibly saving time and scripting. For some commercial customers, this is implemented as their primary pain point has to do with language support immediately after the update.
+This approach has some interesting benefits. The original Windows image doesn’t need to be modified, possibly saving time and scripting.
### Option 5: Install optional content after deployment
-This option is like Option 3 in that you customize the operating system image with additional optional content after it’s deployed. IT pros can extend the behavior of Windows Setup by running their own custom action scripts during and after a feature update. See [Run custom actions during feature update](/windows-hardware/manufacture/desktop/windows-setup-enable-custom-actions) for details. With this approach, you can create a device-specific migration of optional content by capturing the optional content that is installed in the operating system, and then saving this list to install the same optional content in the new operating system. Like Option 4, you would internally host a network share that contains the source of the optional content packages. Then, during the execution of Setup on the device, capture the list of installed optional content from the source operating system and save. Later, after Setup completes, you use the list to install the optional content, which leaves the user’s device without loss of functionality.
+This option is like Option 3 in that you customize the operating system image with more optional content after it’s deployed. IT pros can extend the behavior of Windows Setup by running their own custom action scripts during and after a feature update. See [Run custom actions during feature update](/windows-hardware/manufacture/desktop/windows-setup-enable-custom-actions) for details. With this approach, you can create a device-specific migration of optional content by capturing the optional content that is installed in the operating system, and then saving this list to install the same optional content in the new operating system. Like Option 4, you would internally host a network share that contains the source of the optional content packages. Then, during the execution of Setup on the device, capture the list of installed optional content from the source operating system and save. Later, after Setup completes, you use the list to install the optional content, which leaves the user’s device without loss of functionality.
### Option 6: Configure an alternative source for optional content
-Several of the options address ways to address optional content migration issues during an in-place update. To address the second pain point of easily acquiring optional content in the user-initiated case, you can configure each device by using the Specify settings for optional component installation and component repair Group Policy. This policy setting specifies the network locations that will be used for the repair of operating system corruption and for enabling optional features that have had their payload files removed. This approach has the disadvantage of additional content to be hosted within your network (additional to the operating system image you might be still deploying to some clients) but has the advantage of acquiring content within your network. Some reminders about this policy:
+Several of the options address ways to address optional content migration issues during an in-place update. To address the second pain point of easily acquiring optional content in the user-initiated case, you can configure each device by using the Specify settings for optional component installation and component repair Group Policy. This policy setting specifies the network locations that will be used for the repair of operating system corruption and for enabling optional features that have had their payload files removed. This approach has the disadvantage of more content to be hosted within your network (in addition to the operating system image you might be still deploying to some clients) but has the advantage of acquiring content within your network. Some reminders about this policy:
- The file path to the alternate source must be a fully qualified path; multiple locations can be separated by a semicolon.
- This setting does not support installing language packs from Alternate source file path, only Features on Demand. If the policy is configured to acquire content from Windows Update, language packs will be acquired.
@@ -141,7 +146,7 @@ For more information about the Unified Update Platform and the approaches outlin
- [Ignite 2019 theater session THR4002](https://medius.studios.ms/video/asset/HIGHMP4/IG19-THR4002)
- [Run custom actions during feature update](/windows-hardware/manufacture/desktop/windows-setup-enable-custom-actions)
- [Unified Update Platform](https://blogs.windows.com/windowsexperience/2016/11/03/introducing-unified-update-platform-uup/)
-- [Updating Windows 10 media with Dynamic Update packages](media-dynamic-update.md)
+- [Updating Windows installation media with Dynamic Update packages](media-dynamic-update.md)
- [Windows Setup Automation Overview](/windows-hardware/manufacture/desktop/windows-setup-automation-overview)
@@ -564,7 +569,7 @@ Dismount-DiskImage -ImagePath $FOD_ISO_PATH -ErrorAction ignore | Out-Null
### Saving optional content in the source operating system
-To save optional content state in the source operating system, we create a custom action script to run before the operating system installs. In this script, we save optional features and language resources to a file. We also make a local copy of the repo with only those files needed based on the languages installed on the source operating system. This will limit the files to copy.
+To save optional content state in the source operating system, we create a custom action script to run before the operating system installs. In this script, we save optional features and language resources to a file. We also make a local copy of the repo with only those files needed based on the languages installed on the source operating system. This action will limit the files to copy.
```powershell
diff --git a/windows/deployment/update/plan-define-readiness.md b/windows/deployment/update/plan-define-readiness.md
index 2e371a0df1..40198581cc 100644
--- a/windows/deployment/update/plan-define-readiness.md
+++ b/windows/deployment/update/plan-define-readiness.md
@@ -15,6 +15,11 @@ ms.collection: m365initiative-coredeploy
# Define readiness criteria
+**Applies to**
+
+- Windows 10
+- Windows 11
+
## Figure out roles and personnel
Planning and managing a deployment involves a variety of distinct activities and roles best suited to each. As you plan, it's worth figuring out which roles you'll need to carry out the deployment and who should fill them. Different roles are active at various phases of a deployment. Depending on the size and complexity of your organization, some of the roles could be filled by the same person. However, it's best to have an established *process manager*, who will oversee all of the tasks for the deployment.
diff --git a/windows/deployment/update/plan-determine-app-readiness.md b/windows/deployment/update/plan-determine-app-readiness.md
index 0bb65d7087..8fcd5f228e 100644
--- a/windows/deployment/update/plan-determine-app-readiness.md
+++ b/windows/deployment/update/plan-determine-app-readiness.md
@@ -16,7 +16,12 @@ author: jaimeo
# Determine application readiness
-Before you deploy a Windows 10 update, you should know which apps will continue to work without problems, which need their own updates, and which just won't work and must be replaced. If you haven't already, it's worth [classifying your apps] with respect to their criticality in your organization.
+**Applies to**
+
+- Windows 10
+- Windows 11
+
+Before you deploy a Windows client update, you should know which apps will continue to work without problems, which need their own updates, and which just won't work and must be replaced. If you haven't already, it's worth [classifying your apps](plan-define-readiness.md) with respect to their criticality in your organization.
## Validation methods
diff --git a/windows/deployment/update/prepare-deploy-windows.md b/windows/deployment/update/prepare-deploy-windows.md
index 4da49340aa..3ea447d2c4 100644
--- a/windows/deployment/update/prepare-deploy-windows.md
+++ b/windows/deployment/update/prepare-deploy-windows.md
@@ -15,7 +15,12 @@ ms.collection: m365initiative-coredeploy
# Prepare to deploy Windows
-Having worked through the activities in the planning phase, you should be in a good position to prepare your environment and process to deploy Windows 10. The planning phase will have left you with these useful items:
+**Applies to**
+
+- Windows 10
+- Windows 11
+
+Having worked through the activities in the planning phase, you should be in a good position to prepare your environment and process to deploy Windows client. The planning phase will have left you with these useful items:
- A clear understanding of necessary personnel and their roles and criteria for [rating app readiness](plan-define-readiness.md)
- A plan for [testing and validating](plan-determine-app-readiness.md) apps
@@ -114,7 +119,7 @@ Ensure that devices can reach necessary Windows Update endpoints through the fir
> [!NOTE]
> Be sure not to use HTTPS for those endpoints that specify HTTP, and vice versa. The connection will fail.
-The specific endpoints can vary between Windows 10 versions. See, for example, [Windows 10 2004 Enterprise connection endpoints](/windows/privacy/manage-windows-2004-endpoints). Similar articles for other Windows 10 versions are available in the table of contents nearby.
+The specific endpoints can vary between Windows versions. See, for example, [Windows 10 2004 Enterprise connection endpoints](/windows/privacy/manage-windows-2004-endpoints). Similar articles for other Windows client versions are available in the table of contents nearby.
### Optimize download bandwidth
@@ -124,7 +129,7 @@ Set up [Delivery Optimization](waas-delivery-optimization.md) for peer network s
In the course of surveying your device population, either with Desktop Analytics or by some other means, you might find devices that have systemic problems that could interfere with update installation. Now is the time to fix those problems.
-- **Low disk space:** Quality updates require a minimum of 2 GB to successfully install. Feature updates require between 8 GB and 15 GB depending upon the configuration. On Windows 10, version 1903 and later you can proactively use the "reserved storage" feature (for wipe and loads, rebuilds, and new builds) to avoid running out of disk space. If you find a group of devices that don't have enough disk space, you can often resolve the problem by cleaning up log files and asking users to clean up data if necessary. A good place to start is to delete the following files:
+- **Low disk space:** Quality updates require a minimum of 2 GB to successfully install. Feature updates require between 8 GB and 15 GB depending upon the configuration. On Windows 10, version 1903 and later (and Windows 11) you can proactively use the "reserved storage" feature (for wipe and loads, rebuilds, and new builds) to avoid running out of disk space. If you find a group of devices that don't have enough disk space, you can often resolve the problem by cleaning up log files and asking users to clean up data if necessary. A good place to start is to delete the following files:
- C:\Windows\temp
- C:\Windows\cbstemp (though this file might be necessary to investigate update failures)
diff --git a/windows/deployment/update/safeguard-holds.md b/windows/deployment/update/safeguard-holds.md
index 735acd6e97..eb28dce097 100644
--- a/windows/deployment/update/safeguard-holds.md
+++ b/windows/deployment/update/safeguard-holds.md
@@ -12,9 +12,14 @@ ms.topic: article
# Safeguard holds
-Microsoft uses quality and compatibility data to identify issues that might cause a Windows 10 feature update to fail or roll back. When we find such an issue, we might apply holds to the updating service to prevent affected devices from installing the update in order to safeguard them from these experiences. We also use holds when a customer, a partner, or Microsoft internal validation finds an issue that would cause severe impact (for example, rollback of the update, data loss, loss of connectivity, or loss of key functionality) and when a workaround is not immediately available.
+**Applies to**
-Safeguard holds prevent a device with a known issue from being offered a new operating system version. We renew the offering once a fix is found and verified. We use holds to ensure customers have a successful experience as their device moves to a new version of Windows 10.
+- Windows 10
+- Windows 11
+
+Microsoft uses quality and compatibility data to identify issues that might cause a Windows client feature update to fail or roll back. When we find such an issue, we might apply holds to the updating service to prevent affected devices from installing the update in order to safeguard them from these experiences. We also use holds when a customer, a partner, or Microsoft internal validation finds an issue that would cause severe impact (for example, rollback of the update, data loss, loss of connectivity, or loss of key functionality) and when a workaround is not immediately available.
+
+Safeguard holds prevent a device with a known issue from being offered a new operating system version. We renew the offering once a fix is found and verified. We use holds to ensure customers have a successful experience as their device moves to a new version of Windows client.
The lifespan of holds varies depending on the time required to investigate and fix an issue. During this time Microsoft works diligently to procure, develop, and validate a fix and then offer it to affected devices. We monitor quality and compatibility data to confirm that a fix is complete before releasing the hold. Once we release the hold, Windows Update will resume offering new operating system versions to devices.
diff --git a/windows/deployment/update/safeguard-opt-out.md b/windows/deployment/update/safeguard-opt-out.md
index a6ad9a0b05..928b215cef 100644
--- a/windows/deployment/update/safeguard-opt-out.md
+++ b/windows/deployment/update/safeguard-opt-out.md
@@ -12,21 +12,26 @@ ms.topic: article
# Opt out of safeguard holds
-Safeguard holds prevent a device with a known compatibility issue from being offered a new Windows 10 feature update by using Windows Update. We use safeguard holds to protect the device and user from a failed or poor update experience. We renew the offering once a fix is issued and is verified on an affected device. For more information about safeguard holds, see [Safeguard holds](safeguard-holds.md).
+**Applies to**
+
+- Windows 10
+- Windows 11
+
+Safeguard holds prevent a device with a known compatibility issue from being offered a new Windows client feature update by using Windows Update. We use safeguard holds to protect the device and user from a failed or poor update experience. We renew the offering once a fix is issued and is verified on an affected device. For more information about safeguard holds, see [Safeguard holds](safeguard-holds.md).
## How can I opt out of safeguard holds?
-IT admins can, if necessary, opt devices out of safeguard protections by using the disable safeguards policy. In a Mobile Device Management (MDM) tool, use the **Update/DisableWUfBSafeguards** CSP. In Group Policy, use the **Disable safeguards for Feature Updates** Group Policy. This policy is available to Windows Update for Business devices running Windows 10, version 1809 or later that have installed the October 2020 security update.
+IT admins can, if necessary, opt devices out of safeguard protections by using the disable safeguards policy. In a Mobile Device Management (MDM) tool, use the **Update/DisableWUfBSafeguards** CSP. In Group Policy, use the **Disable safeguards for Feature Updates** Group Policy. This policy is available to Windows Update for Business devices running Windows 10, version 1809 or later that have installed the October 2020 security update and in Windows 11.
> [!CAUTION]
> Opting out of a safeguard hold can put devices at risk from known performance issues.
-We recommend opting out only in an IT environment and for validation purposes. You can also validate an upcoming Windows 10 feature update version without the safeguards being applied by using the Release Preview channel of the Windows Insider Program for Business.
+We recommend opting out only in an IT environment and for validation purposes. You can also validate an upcoming Windows client feature update version without the safeguards being applied by using the Release Preview channel of the Windows Insider Program for Business.
Disabling safeguards does not guarantee your device will be able to successfully update. The update might still fail and will likely result in a bad experience since you are bypassing the protection against known issues.
> [!NOTE]
-> After a device installs a new Windows 10 version, the **Disable safeguards for Feature Updates** Group Policy will revert to “not configured” even if it was previously enabled. We do this to ensure the admin is consciously disabling Microsoft’s default protection from known issues for each new feature update.
+> After a device installs a new Windows client version, the **Disable safeguards for Feature Updates** Group Policy will revert to “not configured” even if it was previously enabled. We do this to ensure the admin is consciously disabling Microsoft’s default protection from known issues for each new feature update.
diff --git a/windows/deployment/update/servicing-stack-updates.md b/windows/deployment/update/servicing-stack-updates.md
index 6b9563437a..15a43dfe2f 100644
--- a/windows/deployment/update/servicing-stack-updates.md
+++ b/windows/deployment/update/servicing-stack-updates.md
@@ -1,5 +1,5 @@
---
-title: Servicing stack updates (Windows 10)
+title: Servicing stack updates
description: In this article, learn how servicing stack updates improve the code that installs the other updates.
ms.prod: w10
ms.mktglfcycl: manage
@@ -20,7 +20,8 @@ ms.custom: seo-marvel-apr2020
**Applies to**
-- Windows 10, Windows 8.1, Windows 8, Windows 7
+- Windows 10
+- Windows 11
## What is a servicing stack update?
Servicing stack updates provide fixes to the servicing stack, the component that installs Windows updates. Additionally, it contains the "component-based servicing stack" (CBS), which is a key underlying component for several elements of Windows deployment, such as DISM, SFC, changing Windows features or roles, and repairing components. The CBS is a small component that typically does not have updates released every month.
@@ -38,7 +39,7 @@ Servicing stack update are released depending on new issues or vulnerabilities.
## What's the difference between a servicing stack update and a cumulative update?
-Both Windows 10 and Windows Server use the cumulative update mechanism, in which many fixes to improve the quality and security of Windows are packaged into a single update. Each cumulative update includes the changes and fixes from all previous updates.
+Both Windows client and Windows Server use the cumulative update mechanism, in which many fixes to improve the quality and security of Windows are packaged into a single update. Each cumulative update includes the changes and fixes from all previous updates.
Servicing stack updates must ship separately from the cumulative updates because they modify the component that installs Windows updates. The servicing stack is released separately because the servicing stack itself requires an update. For example, the cumulative update [KB4284880](https://support.microsoft.com/help/4284880/windows-10-update-kb4284880) requires the [May 17, 2018 servicing stack update](https://support.microsoft.com/help/4132216), which includes updates to Windows Update.
diff --git a/windows/deployment/update/update-baseline.md b/windows/deployment/update/update-baseline.md
index 2e4ab4fd64..a8e162f8c3 100644
--- a/windows/deployment/update/update-baseline.md
+++ b/windows/deployment/update/update-baseline.md
@@ -15,7 +15,10 @@ ms.topic: article
**Applies to:** Windows 10
-With the large number of different policies offered for Windows 10, Update Baseline provides a clear list of recommended Windows Update policy settings for IT administrators who want the best user experience while also meeting their monthly update compliance goals. See [Policies included in the Update Baseline](#policies-included-in-the-update-baseline) for the full list of policy configurations.
+> [!NOTE]
+> Update Baseline is not currently available for Windows 11.
+
+With the large number of different policies offered for Windows client, Update Baseline provides a clear list of recommended Windows Update policy settings for IT administrators who want the best user experience while also meeting their monthly update compliance goals. See [Policies included in the Update Baseline](#policies-included-in-the-update-baseline) for the full list of policy configurations.
## Why is Update Baseline needed?
diff --git a/windows/deployment/update/update-compliance-configuration-manual.md b/windows/deployment/update/update-compliance-configuration-manual.md
index e15c04a0eb..339e8ed571 100644
--- a/windows/deployment/update/update-compliance-configuration-manual.md
+++ b/windows/deployment/update/update-compliance-configuration-manual.md
@@ -27,7 +27,7 @@ The requirements are separated into different categories:
1. Ensuring the [**required policies**](#required-policies) for Update Compliance are correctly configured.
2. Devices in every network topography must send data to the [**required endpoints**](#required-endpoints) for Update Compliance. For example, devices in both main and satellite offices, which might have different network configurations must be able to reach the endpoints.
3. Ensure [**Required Windows services**](#required-services) are running or are scheduled to run. It is recommended all Microsoft and Windows services are set to their out-of-box defaults to ensure proper functionality.
-4. [**Run a full Census sync**](#run-a-full-census-sync) on new devices to ensure that all necessary data points are collected.
+
## Required policies
@@ -67,7 +67,7 @@ To enable data sharing between devices, your network, and Microsoft's Diagnostic
| **Endpoint** | **Function** |
|---------------------------------------------------------|-----------|
-| `https://v10c.events.data.microsoft.com` | Connected User Experience and Diagnostic component endpoint for Windows 10, version 1803 and later. Census.exe must run on a regular cadence and contact this endpoint in order to receive the majority of [WaaSUpdateStatus](update-compliance-schema-waasupdatestatus.md) information for Update Compliance. |
+| `https://v10c.events.data.microsoft.com` | Connected User Experience and Diagnostic component endpoint for Windows 10, version 1803 and later. DeviceCensus.exe must run on a regular cadence and contact this endpoint in order to receive the majority of [WaaSUpdateStatus](update-compliance-schema-waasupdatestatus.md) information for Update Compliance. |
| `https://v10.vortex-win.data.microsoft.com` | Connected User Experience and Diagnostic component endpoint for Windows 10, version 1709 or earlier. |
| `https://settings-win.data.microsoft.com` | Required for Windows Update functionality. |
| `http://adl.windows.com` | Required for Windows Update functionality. |
@@ -80,12 +80,3 @@ To enable data sharing between devices, your network, and Microsoft's Diagnostic
Many Windows and Microsoft services are required to ensure that not only the device can function, but Update Compliance can see device data. It is recommended that you allow all default services from the out-of-box experience to remain running. The [Update Compliance Configuration Script](update-compliance-configuration-script.md) checks whether the majority of these services are running or are allowed to run automatically.
-## Run a full Census sync
-
-Census is a service that runs on a regular schedule on Windows devices. A number of key device attributes, like what operating system edition is installed on the device, are included in the Census payload. However, to save network load and system resources, data that tends to be more static (like edition) is sent approximately once per week rather than on every daily run. Because of this behavior, these attributes can take longer to appear in Update Compliance unless you start a full Census sync. The Update Compliance Configuration Script will do a full sync.
-
-A full Census sync adds a new registry value to Census's path. When this registry value is added, Census's configuration is overridden to force a full sync. For Census to work normally, this registry value should be enabled, Census should be started manually, and then the registry value should be disabled. Follow these steps:
-
-1. For every device you are manually configuring for Update Compliance and do not plan to use the [Update Compliance Configuration Script](update-compliance-configuration-script.md), add or modify the registry key located at **HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Census** to include a new **DWORD value** named **FullSync** and set to **1**.
-2. Run Devicecensus.exe with administrator privileges on every device. Devicecensus.exe is in the System32 folder. No additional run parameters are required.
-3. After Devicecensus.exe has run, the **FullSync** registry value can be removed or set to **0**.
diff --git a/windows/deployment/update/update-compliance-configuration-mem.md b/windows/deployment/update/update-compliance-configuration-mem.md
index f700affa62..55c83a3ecc 100644
--- a/windows/deployment/update/update-compliance-configuration-mem.md
+++ b/windows/deployment/update/update-compliance-configuration-mem.md
@@ -16,6 +16,10 @@ ms.topic: article
---
# Configuring Microsoft Endpoint Manager devices for Update Compliance
+**Applies to**
+
+- Windows 10
+- Windows 11
> [!NOTE]
> As of May 10, 2021, a new policy is required to use Update Compliance: "Allow Update Compliance Processing." For more details, see the Mobile Device Management policies and Group policies tables.
diff --git a/windows/deployment/update/update-policies.md b/windows/deployment/update/update-policies.md
index a9b3b9cd95..f6bb3195f2 100644
--- a/windows/deployment/update/update-policies.md
+++ b/windows/deployment/update/update-policies.md
@@ -1,8 +1,8 @@
---
-title: Policies for update compliance, activity, and end-user experience
+title: Policies for update compliance, activity, and user experience
ms.reviewer:
manager: laurawi
-description:
+description: Explanation and recommendations for settings
keywords: updates, servicing, current, deployment, semi-annual channel, feature, quality, rings, insider, tools
ms.prod: w10
ms.mktglfcycl: manage
@@ -14,7 +14,13 @@ ms.topic: article
ms.collection: M365-modern-desktop
---
-# Policies for update compliance, activity, and end-user experience
+# Policies for update compliance, activity, and user experience
+
+**Applies to**
+
+- Windows 10
+- Windows 11
+
Keeping devices up to date is the best way to keep them working smoothly and securely.
## Deadlines for update compliance
@@ -25,7 +31,7 @@ deadline approaches, and then prioritize velocity as the deadline nears, while s
### Deadlines
Beginning with Windows 10, version 1903 and with the August 2019 security update for Windows 10, version 1709
-and late, a new policy was introduced to replace older deadline-like policies: **Specify deadlines for automatic updates and restarts**.
+and later (including Windows 11), a new policy was introduced to replace older deadline-like policies: **Specify deadlines for automatic updates and restarts**.
The older policies started enforcing deadlines once the device reached a “restart pending” state for
an update. The new policy starts the countdown for the update installation deadline from when the
@@ -40,7 +46,7 @@ restarts for maximum update velocity).
We recommend you set deadlines as follows:
- Quality update deadline, in days: 3
- Feature update deadline, in days: 7
--
+
Notifications are automatically presented to the user at appropriate times, and users can choose to be reminded
later, to reschedule, or to restart immediately, depending on how close the deadline is. We recommend that you
do **not** set any notification policies, because they are automatically configured with appropriate defaults. An exception is if you
@@ -172,7 +178,7 @@ The default timeout on devices that support traditional sleep is set to three ho
## Old or conflicting policies
-Each release of Windows 10 can introduce new policies to make the experience better for both administrators and their organizations. When we release a new client policy, we either release it purely for that release and later or we backport the policy to make it available on earlier versions.
+Each release of Windows client can introduce new policies to make the experience better for both administrators and their organizations. When we release a new client policy, we either release it purely for that release and later or we backport the policy to make it available on earlier versions.
> [!IMPORTANT]
> If you are using Group Policy, note that we don't update the old ADMX templates and you must use the newer (1903) ADMX template in order to use the newer policy. Also, if you are
diff --git a/windows/deployment/update/waas-deployment-rings-windows-10-updates.md b/windows/deployment/update/waas-deployment-rings-windows-10-updates.md
index 52a1ec6f2c..4070bb332d 100644
--- a/windows/deployment/update/waas-deployment-rings-windows-10-updates.md
+++ b/windows/deployment/update/waas-deployment-rings-windows-10-updates.md
@@ -1,6 +1,6 @@
---
-title: Build deployment rings for Windows 10 updates (Windows 10)
-description: Deployment rings in Windows 10 are similar to the deployment groups most organizations constructed for previous major revision upgrades.
+title: Build deployment rings for Windows client updates
+description: Deployment rings in Windows client are similar to the deployment groups most organizations constructed for previous major revision upgrades.
ms.prod: w10
ms.mktglfcycl: manage
author: jaimeo
@@ -12,12 +12,13 @@ ms.collection: M365-modern-desktop
ms.topic: article
---
-# Build deployment rings for Windows 10 updates
-
+# Build deployment rings for Windows client updates
**Applies to**
-- Windows 10
+- Windows 10
+- Windows 11
+
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
@@ -26,7 +27,7 @@ ms.topic: article
For Windows as a service, maintenance is ongoing and iterative. Deploying previous versions of Windows required organizations to build sets of users to roll out the changes in phases. Typically, these users ranged (in order) from the most adaptable and least risky to the least adaptable or riskiest. With Windows 10, a similar methodology exists, but construction of the groups is a little different.
-Deployment rings in Windows 10 are similar to the deployment groups most organizations constructed for previous major revision upgrades. They are simply a method by which to separate machines into a deployment timeline. With Windows 10, you construct deployment rings a bit differently in each servicing tool, but the concepts remain the same. Each deployment ring should reduce the risk of issues derived from the deployment of the feature updates by gradually deploying the update to entire departments. As previously mentioned, consider including a portion of each department’s employees in several deployment rings.
+Deployment rings in Windows client are similar to the deployment groups most organizations constructed for previous major revision upgrades. They are simply a method by which to separate machines into a deployment timeline. With Windows client, you construct deployment rings a bit differently in each servicing tool, but the concepts remain the same. Each deployment ring should reduce the risk of issues derived from the deployment of the feature updates by gradually deploying the update to entire departments. As previously mentioned, consider including a portion of each department’s employees in several deployment rings.
Defining deployment rings is generally a one-time event (or at least infrequent), but IT should revisit these groups to ensure that the sequencing is still correct. Also, there are times in which client computers could move between different deployment rings when necessary.
@@ -36,36 +37,26 @@ Table 1 provides an example of the deployment rings you might use.
| Deployment ring | Servicing channel | Deferral for feature updates | Deferral for quality updates | Example |
| --- | --- | --- | --- | --- |
-| Preview | Windows Insider Program | None | None | A few machines to evaluate early builds prior to their arrival to the semi-annual channel |
-| Broad | Semi-annual channel | 120 days | 7-14 days | Broadly deployed to most of the organization and monitored for feedbackPause updates if there are critical issues |
-| Critical | Semi-annual channel | 180 days | 30 days | Devices that are critical and will only receive updates once they've been vetted for a period of time by the majority of the organization |
+| Preview | Windows Insider Program | None | None | A few machines to evaluate early builds prior to their arrival to the Semi-Annual channel |
+| Broad | Semi-Annual channel | 120 days | 7-14 days | Broadly deployed to most of the organization and monitored for feedbackPause updates if there are critical issues |
+| Critical | Semi-Annual channel | 180 days | 30 days | Devices that are critical and will only receive updates once they've been vetted for some time by most of the organization |
>[!NOTE]
>In this example, there are no rings made up of the long-term servicing channel (LTSC). The LTSC does not receive feature updates.
-As Table 1 shows, each combination of servicing channel and deployment group is tied to a specific deployment ring. As you can see, the associated groups of devices are combined with a servicing channel to specify which deployment ring those devices and their users fall into. The naming convention used to identify the rings is completely customizable as long as the name clearly identifies the sequence. Deployment rings represent a sequential deployment timeline, regardless of the servicing channel they contain. Deployment rings will likely rarely change for an organization, but they should be periodically assessed to ensure that the deployment cadence still makes sense.
+As Table 1 shows, each combination of servicing channel and deployment group is tied to a specific deployment ring. As you can see, the associated groups of devices are combined with a servicing channel to specify which deployment ring those devices and their users fall into. The naming convention used to identify the rings is customizable as long as the name clearly identifies the sequence. Deployment rings represent a sequential deployment timeline, regardless of the servicing channel they contain. Deployment rings will likely rarely change for an organization, but they should be periodically assessed to ensure that the deployment cadence still makes sense.
-## Steps to manage updates for Windows 10
+## Steps to manage updates for Windows client
| | |
| --- | --- |
|  | [Learn about updates and servicing channels](waas-overview.md) |
-|  | [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) |
-|  | Build deployment rings for Windows 10 updates (this topic) |
-|  | [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) |
-|  | [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) |
-|  | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)or [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)or [Deploy Windows 10 updates using Microsoft Endpoint Configuration Manager](/mem/configmgr/osd/deploy-use/manage-windows-as-a-service) |
+|  | [Prepare servicing strategy for Windows client updates](waas-servicing-strategy-windows-10-updates.md) |
+|  | Build deployment rings for Windows client updates (this article) |
+|  | [Assign devices to servicing channels for Windows client updates](waas-servicing-channels-windows-10-updates.md) |
+|  | [Optimize update delivery for Windows client updates](waas-optimize-windows-10-updates.md) |
+|  | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)or [Deploy Windows client updates using Windows Server Update Services](waas-manage-updates-wsus.md)or [Deploy Windows 10 updates using Microsoft Endpoint Configuration Manager](/mem/configmgr/osd/deploy-use/manage-windows-as-a-service) |
-## Related topics
-- [Update Windows 10 in the enterprise](index.md)
-- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
-- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
-- [Configure Windows Update for Business](waas-configure-wufb.md)
-- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
-- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
-- [Manage software updates in Intune](/intune/windows-update-for-business-configure)
-- [Walkthrough: use Intune to configure Windows Update for Business](/intune/windows-update-for-business-configure)
-- [Manage device restarts after updates](waas-restart.md)
diff --git a/windows/deployment/update/waas-manage-updates-wsus.md b/windows/deployment/update/waas-manage-updates-wsus.md
index d6f97a6fae..3556cec273 100644
--- a/windows/deployment/update/waas-manage-updates-wsus.md
+++ b/windows/deployment/update/waas-manage-updates-wsus.md
@@ -1,5 +1,5 @@
---
-title: Deploy Windows 10 updates using Windows Server Update Services (Windows 10)
+title: Deploy Windows client updates using Windows Server Update Services
description: WSUS allows companies to defer, selectively approve, choose when delivered, and determine which devices receive updates.
ms.prod: w10
ms.mktglfcycl: manage
@@ -11,12 +11,13 @@ manager: laurawi
ms.topic: article
---
-# Deploy Windows 10 updates using Windows Server Update Services (WSUS)
+# Deploy Windows client updates using Windows Server Update Services (WSUS)
**Applies to**
-- Windows 10
+- Windows 10
+- Windows 11
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
@@ -26,13 +27,13 @@ ms.topic: article
WSUS is a Windows Server role available in the Windows Server operating systems. It provides a single hub for Windows updates within an organization. WSUS allows companies not only to defer updates but also to selectively approve them, choose when they’re delivered, and determine which individual devices or groups of devices receive them. WSUS provides additional control over Windows Update for Business but does not provide all the scheduling options and deployment flexibility that Microsoft Endpoint Manager provides.
-When you choose WSUS as your source for Windows updates, you use Group Policy to point Windows 10 client devices to the WSUS server for their updates. From there, updates are periodically downloaded to the WSUS server and managed, approved, and deployed through the WSUS administration console or Group Policy, streamlining enterprise update management. If you’re currently using WSUS to manage Windows updates in your environment, you can continue to do so in Windows 10.
+When you choose WSUS as your source for Windows updates, you use Group Policy to point Windows client devices to the WSUS server for their updates. From there, updates are periodically downloaded to the WSUS server and managed, approved, and deployed through the WSUS administration console or Group Policy, streamlining enterprise update management. If you’re currently using WSUS to manage Windows updates in your environment, you can continue to do so in Windows 11.
-## Requirements for Windows 10 servicing with WSUS
+## Requirements for Windows client servicing with WSUS
-To be able to use WSUS to manage and deploy Windows 10 feature updates, you must use a supported WSUS version:
+To be able to use WSUS to manage and deploy Windows feature updates, you must use a supported WSUS version:
- WSUS 10.0.14393 (role in Windows Server 2016)
- WSUS 10.0.17763 (role in Windows Server 2019)
- WSUS 6.2 and 6.3 (role in Windows Server 2012 and Windows Server 2012 R2)
@@ -108,7 +109,7 @@ As Windows clients refresh their computer policies (the default Group Policy ref
## Create computer groups in the WSUS Administration Console
>[!NOTE]
->The following procedures use the groups from Table 1 in [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) as examples.
+>The following procedures use the groups from Table 1 in [Build deployment rings for Windows client updates](waas-deployment-rings-windows-10-updates.md) as examples.
You can use computer groups to target a subset of devices that have specific quality and feature updates. These groups represent your deployment rings, as controlled by WSUS. You can populate the groups either manually by using the WSUS Administration Console or automatically through Group Policy. Regardless of the method you choose, you must first create the groups in the WSUS Administration Console.
@@ -241,10 +242,11 @@ The next time the clients in the **Ring 4 Broad Business Users** security group
For clients that should have their feature updates approved as soon as they’re available, you can configure Automatic Approval rules in WSUS.
>[!NOTE]
->WSUS respects the client device's servicing branch. If you approve a feature update while it is still in one branch, such as Insider Preview, WSUS will install the update only on devices that are in that servicing branch. When Microsoft releases the build for Semi-Annual Channel, the devices in the Semi-Annual Channel will install it. Windows Update for Business branch settings do not apply to feature updates through WSUS.
+>WSUS respects the client device's servicing branch. If you approve a feature update while it is still in one branch, such as Insider Preview, WSUS will install the update only on devices that are in that servicing branch. When Microsoft releases the build for Semi-Annual Channel (or General Availability Channel), the devices in that will install it. Windows Update for Business branch settings do not apply to feature updates through WSUS.
-**To configure an Automatic Approval rule for Windows 10 feature updates and approve them for the Ring 3 Broad IT deployment ring**
+**To configure an Automatic Approval rule for Windows client feature updates and approve them for the Ring 3 Broad IT deployment ring**
+This example uses Windows 10, but the process is the same for Windows 11.
1. In the WSUS Administration Console, go to Update Services\\*Server_Name*\Options, and then select **Automatic Approvals**.
@@ -273,16 +275,16 @@ For clients that should have their feature updates approved as soon as they’re
>[!NOTE]
>WSUS does not honor any existing month/week/day [deferral settings](waas-configure-wufb.md#configure-when-devices-receive-feature-updates). That said, if you’re using Windows Update for Business for a computer for which WSUS is also managing updates, when WSUS approves the update, it will be installed on the computer regardless of whether you configured Group Policy to wait.
-Now, whenever Windows 10 feature updates are published to WSUS, they will automatically be approved for the **Ring 3 Broad IT** deployment ring with an installation deadline of 1 week.
+Now, whenever Windows client feature updates are published to WSUS, they will automatically be approved for the **Ring 3 Broad IT** deployment ring with an installation deadline of 1 week.
> [!WARNING]
-> The auto approval rule runs after synchronization occurs. This means that the *next* upgrade for each Windows 10 version will be approved. If you select **Run Rule**, all possible updates that meet the criteria will be approved, potentially including older updates that you don't actually want--which can be a problem when the download sizes are very large.
+> The auto approval rule runs after synchronization occurs. This means that the *next* upgrade for each Windows client version will be approved. If you select **Run Rule**, all possible updates that meet the criteria will be approved, potentially including older updates that you don't actually want--which can be a problem when the download sizes are very large.
## Manually approve and deploy feature updates
You can manually approve updates and set deadlines for installation within the WSUS Administration Console, as well. It might be best to approve update rules manually after your pilot deployment has been updated.
-To simplify the manual approval process, start by creating a software update view that contains only Windows 10 updates.
+To simplify the manual approval process, start by creating a software update view that contains only Windows 10 (in this example) updates. The process is the same for Windows 11 updates.
> [!NOTE]
> If you approve more than one feature update for a computer, an error can result with the client. Approve only one feature update per computer.
@@ -329,33 +331,16 @@ Now that you have the **All Windows 10 Upgrades** view, complete the following s
-## Steps to manage updates for Windows 10
+## Steps to manage updates for Windows client
| | |
| --- | --- |
|  | [Learn about updates and servicing channels](waas-overview.md) |
-|  | [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) |
-|  | [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) |
-|  | [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) |
-|  | [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) |
-|  | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)or Deploy Windows 10 updates using Windows Server Update Services (this topic)or [Deploy Windows 10 updates using Microsoft Endpoint Configuration Manager](/mem/configmgr/osd/deploy-use/manage-windows-as-a-service) |
+|  | [Prepare servicing strategy for Windows client updates](waas-servicing-strategy-windows-10-updates.md) |
+|  | [Build deployment rings for Windows client updates](waas-deployment-rings-windows-10-updates.md) |
+|  | [Assign devices to servicing channels for Windows client updates](waas-servicing-channels-windows-10-updates.md) |
+|  | [Optimize update delivery for Windows client updates](waas-optimize-windows-10-updates.md) |
+|  | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)or Deploy Windows client updates using Windows Server Update Services (this topic)or [Deploy Windows client updates using Microsoft Endpoint Configuration Manager](/mem/configmgr/osd/deploy-use/manage-windows-as-a-service) |
-## Related topics
-
-- [Update Windows 10 in the enterprise](index.md)
-- [Overview of Windows as a service](waas-overview.md)
-- [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md)
-- [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md)
-- [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md)
-- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
-- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
-- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
-- [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)
-- [Configure Windows Update for Business](waas-configure-wufb.md)
-- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
-- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
-- [Walkthrough: use Intune to configure Windows Update for Business](/intune/windows-update-for-business-configure)
-- [Deploy Windows 10 updates using Microsoft Endpoint Configuration Manager](/mem/configmgr/osd/deploy-use/manage-windows-as-a-service)
-- [Manage device restarts after updates](waas-restart.md)
diff --git a/windows/deployment/update/waas-optimize-windows-10-updates.md b/windows/deployment/update/waas-optimize-windows-10-updates.md
index 672e2ff5a9..32f43cc742 100644
--- a/windows/deployment/update/waas-optimize-windows-10-updates.md
+++ b/windows/deployment/update/waas-optimize-windows-10-updates.md
@@ -1,5 +1,5 @@
---
-title: Optimize update delivery for Windows 10 updates (Windows 10)
+title: Optimize update delivery for Windows client updates
description: Two methods of peer-to-peer content distribution are available in Windows 10, Delivery Optimization and BranchCache.
ms.prod: w10
ms.mktglfcycl: manage
@@ -11,24 +11,25 @@ manager: laurawi
ms.topic: article
---
-# Optimize Windows 10 update delivery
+# Optimize Windows client update delivery
**Applies to**
-- Windows 10
+- Windows 10
+- Windows 11
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
-When considering your content distribution strategy for Windows 10, think about enabling a form of peer-to-peer content sharing to reduce bandwidth issues during updates. Windows 10 offers two peer-to-peer options for update content distribution: Delivery Optimization and BranchCache. These technologies can be used with several of the servicing tools for Windows 10.
+When considering your content distribution strategy for Windows 10, think about enabling a form of peer-to-peer content sharing to reduce bandwidth issues during updates. Windows client offers two peer-to-peer options for update content distribution: Delivery Optimization and BranchCache. These technologies can be used with several of the servicing tools for Windows client.
-Two methods of peer-to-peer content distribution are available in Windows 10.
+Two methods of peer-to-peer content distribution are available.
-- [Delivery Optimization](waas-delivery-optimization.md) is a new peer-to-peer distribution method in Windows 10. Windows 10 clients can source content from other devices on their local network that have already downloaded the updates or from peers over the internet. Using the settings available for Delivery Optimization, clients can be configured into groups, allowing organizations to identify devices that are possibly the best candidates to fulfill peer-to-peer requests.
+- [Delivery Optimization](waas-delivery-optimization.md) is a peer-to-peer distribution method in Windows. Windows clients can source content from other devices on their local network that have already downloaded the updates or from peers over the internet. Using the settings available for Delivery Optimization, clients can be configured into groups, allowing organizations to identify devices that are possibly the best candidates to fulfill peer-to-peer requests.
Windows Update, Windows Update for Business, and Windows Server Update Services (WSUS) can use Delivery Optimization. Delivery Optimization can significantly reduce the amount of network traffic to external Windows Update sources as well as the time it takes for clients to retrieve the updates.
-- [BranchCache](waas-branchcache.md) is a bandwidth optimization technology that is included in some editions of Windows Server 2016 and Windows 10 operating systems, as well as in some editions of Windows Server 2012 R2, Windows 8.1, Windows Server 2012, Windows 8, Windows Server 2008 R2, and Windows 7.
+- [BranchCache](waas-branchcache.md) is a bandwidth optimization technology that is included in some editions of Windows Server 2016 and Windows operating systems, as well as in some editions of Windows Server 2012 R2, Windows 8.1, Windows Server 2012, Windows 8, Windows Server 2008 R2, and Windows 7.
>[!NOTE]
>Full BranchCache functionality is supported in Windows 10 Enterprise and Education; Windows 10 Pro supports some BranchCache functionality, including BITS transfers used for servicing operations.
@@ -49,7 +50,7 @@ Two methods of peer-to-peer content distribution are available in Windows 10.
## Express update delivery
-Windows 10 quality update downloads can be large because every package contains all previously released fixes to ensure consistency and simplicity. Windows has been able to reduce the size of Windows Update downloads with a feature called Express.
+Windows client quality update downloads can be large because every package contains all previously released fixes to ensure consistency and simplicity. Windows has been able to reduce the size of Windows Update downloads with a feature called Express.
> [!NOTE]
> Express update delivery applies to quality update downloads. Starting with Windows 10, version 1709, Express update delivery also applies to feature update downloads for clients connected to Windows Update and Windows Update for Business.
@@ -84,25 +85,15 @@ At this point, the download is complete and the update is ready to be installed.
> [!TIP]
> Express will **always** be leveraged if your machines are updated regularly with the latest cumulative updates.
-## Steps to manage updates for Windows 10
+## Steps to manage updates for Windows client
| | |
| --- | --- |
|  | [Learn about updates and servicing channels](waas-overview.md) |
-|  | [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md) |
-|  | [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) |
-|  | [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) |
+|  | [Prepare servicing strategy for Windows client updates](waas-servicing-strategy-windows-10-updates.md) |
+|  | [Build deployment rings for Windows client updates](waas-deployment-rings-windows-10-updates.md) |
+|  | [Assign devices to servicing channels for Windows client updates](waas-servicing-channels-windows-10-updates.md) |
|  | Optimize update delivery for Windows 10 updates (this topic) |
-|  | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)
or [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
or [Deploy Windows 10 updates using Microsoft Endpoint Configuration Manager](/mem/configmgr/osd/deploy-use/manage-windows-as-a-service) |
+|  | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)
or [Deploy Windows client updates using Windows Server Update Services](waas-manage-updates-wsus.md)
or [Deploy Windows client updates using Microsoft Endpoint Configuration Manager](/mem/configmgr/osd/deploy-use/manage-windows-as-a-service) |
-## Related topics
-
-- [Update Windows 10 in the enterprise](index.md)
-- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
-- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
-- [Configure Windows Update for Business](waas-configure-wufb.md)
-- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
-- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
-- [Walkthrough: use Intune to configure Windows Update for Business](/intune/windows-update-for-business-configure)
-- [Manage device restarts after updates](waas-restart.md)
diff --git a/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md b/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md
index e22c1fd433..86a3d1f00d 100644
--- a/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md
+++ b/windows/deployment/update/waas-servicing-strategy-windows-10-updates.md
@@ -1,6 +1,6 @@
---
-title: Prepare servicing strategy for Windows 10 updates (Windows 10)
-description: A strong Windows 10 deployment strategy begins with establishing a simple, repeatable process for testing and deploying each feature update.
+title: Prepare servicing strategy for Windows client updates
+description: A strong Windows client deployment strategy begins with establishing a simple, repeatable process for testing and deploying each feature update.
ms.prod: w10
ms.mktglfcycl: manage
author: jaimeo
@@ -17,7 +17,8 @@ ms.collection: m365initiative-coredeploy
**Applies to**
-- Windows 10
+- Windows 10
+- Windows 11
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
@@ -48,25 +49,13 @@ Each time Microsoft releases a Windows 10 feature update, the IT department shou
3. **Deploy broadly.** Finally, focus on the large-scale deployment using deployment rings, like the ones discussed in Table 1. Build deployment rings that target groups of computers in your selected update-management product. To reduce risk as much as possible, construct your deployment rings in a way that splits individual departments into multiple rings. This way, if you were to encounter an issue, you don’t prevent any critical business from continuing. By using this method, each deployment ring reduces risk as more people have been updated in any particular department.
-## Steps to manage updates for Windows 10
+## Steps to manage updates for Windows client
| | |
| --- | --- |
|  | [Learn about updates and servicing channels](waas-overview.md) |
-|  | Prepare servicing strategy for Windows 10 updates (this topic) |
-|  | [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) |
-|  | [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md) |
-|  | [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md) |
-|  | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)or [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)or [Deploy Windows 10 updates using Microsoft Endpoint Configuration Manager](/mem/configmgr/osd/deploy-use/manage-windows-as-a-service) |
-
-
-## Related topics
-
-- [Update Windows 10 in the enterprise](index.md)
-- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
-- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
-- [Configure Windows Update for Business](waas-configure-wufb.md)
-- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
-- [Walkthrough: use Group Policy to configure Windows Update for Business](waas-wufb-group-policy.md)
-- [Walkthrough: use Intune to configure Windows Update for Business](/intune/windows-update-for-business-configure)
-- [Manage device restarts after updates](waas-restart.md)
\ No newline at end of file
+|  | Prepare servicing strategy for Windows client updates (this topic) |
+|  | [Build deployment rings for Windows client updates](waas-deployment-rings-windows-10-updates.md) |
+|  | [Assign devices to servicing channels for Windows client updates](waas-servicing-channels-windows-10-updates.md) |
+|  | [Optimize update delivery for Windows client updates](waas-optimize-windows-10-updates.md) |
+|  | [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)or [Deploy Windows client updates using Windows Server Update Services](waas-manage-updates-wsus.md)or [Deploy Windows client updates using Microsoft Endpoint Configuration Manager](/mem/configmgr/osd/deploy-use/manage-windows-as-a-service) |
diff --git a/windows/deployment/update/waas-wu-settings.md b/windows/deployment/update/waas-wu-settings.md
index c136773bec..eb37c09b3c 100644
--- a/windows/deployment/update/waas-wu-settings.md
+++ b/windows/deployment/update/waas-wu-settings.md
@@ -47,7 +47,7 @@ You can use Group Policy settings or mobile device management (MDM) to configure
With Windows 10, admins have a lot of flexibility in configuring how their devices scan and receive updates.
-[Specify Intranet Microsoft update service location](#specify-intranet-microsoft-update-service-location) allows admins to point devices to an internal Microsoft update service location, while [Do not connect to any Windows Update Internet locations](#do-not-connect-to-any-windows-update-internet-locations) gives them to option to restrict devices to just that internal update service. [Automatic Updates Detection Frequency](#automatic-updates-detection-frequency) controls how frequently devices scan for updates.
+[Specify Intranet Microsoft update service location](#specify-intranet-microsoft-update-service-location) allows admins to point devices to an internal Microsoft update service location, while [Do not connect to any Windows Update Internet locations](#do-not-connect-to-any-windows-update-internet-locations) gives them the option to restrict devices to just that internal update service. [Automatic Updates Detection Frequency](#automatic-updates-detection-frequency) controls how frequently devices scan for updates.
You can make custom device groups that'll work with your internal Microsoft update service by using [Enable client-side targeting](#enable-client-side-targeting). You can also make sure your devices receive updates that were not signed by Microsoft from your internal Microsoft update service, through [Allow signed updates from an intranet Microsoft update service location](#allow-signed-updates-from-an-intranet-microsoft-update-service-location).
@@ -255,4 +255,4 @@ HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\
- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
- [Configure Windows Update for Business](waas-configure-wufb.md)
-- [Manage device restarts after updates](waas-restart.md)
\ No newline at end of file
+- [Manage device restarts after updates](waas-restart.md)
diff --git a/windows/deployment/update/waas-wufb-csp-mdm.md b/windows/deployment/update/waas-wufb-csp-mdm.md
index bdc0a8d662..bef5342d10 100644
--- a/windows/deployment/update/waas-wufb-csp-mdm.md
+++ b/windows/deployment/update/waas-wufb-csp-mdm.md
@@ -16,7 +16,8 @@ ms.topic: article
**Applies to**
-- Windows 10
+- Windows 10
+- Windows 11
> **Looking for consumer information?** See [Windows Update: FAQ](https://support.microsoft.com/help/12373/windows-update-faq)
@@ -29,7 +30,7 @@ An IT administrator can set policies for Windows Update for Business by using Mi
To manage updates with Windows Update for Business, you should prepare with these steps, if you haven't already:
-- Create Active Directory security groups that align with the deployment rings you use to phase deployment of updates. See [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md) to learn more about deployment rings in Windows 10.
+- Create Active Directory security groups that align with the deployment rings you use to phase deployment of updates. See [Build deployment rings for Windows client updates](waas-deployment-rings-windows-10-updates.md) to learn more about deployment rings in Windows client.
- Allow access to the Windows Update service.
@@ -39,7 +40,7 @@ You can control when updates are applied, for example by deferring when an updat
### Determine which updates you want offered to your devices
-Both Windows 10 feature and quality updates are automatically offered to devices that are connected to Windows Update using Windows Update for Business policies. However, you can choose whether you want the devices to additionally receive other Microsoft Updates or drivers that are applicable to that device.
+Both feature and quality updates are automatically offered to devices that are connected to Windows Update using Windows Update for Business policies. However, you can choose whether you want the devices to additionally receive other Microsoft Updates or drivers that are applicable to that device.
To enable Microsoft Updates use [Update/AllwMUUpdateService](/windows/client-management/mdm/policy-csp-update#update-allowmuupdateservice).
@@ -194,22 +195,3 @@ When you disable this setting, users will see **Some settings are managed by you
If you use Windows Server Update Server (WSUS), you can prevent users from scanning Windows Update. To do this, use [Update/SetDisableUXWUAccess](/windows/client-management/mdm/policy-csp-update#update-setdisableuxwuaccess).
-
-
-## Related topics
-
-- [Update Windows 10 in the enterprise](index.md)
-- [Overview of Windows as a service](waas-overview.md)
-- [Prepare servicing strategy for Windows 10 updates](waas-servicing-strategy-windows-10-updates.md)
-- [Build deployment rings for Windows 10 updates](waas-deployment-rings-windows-10-updates.md)
-- [Assign devices to servicing channels for Windows 10 updates](waas-servicing-channels-windows-10-updates.md)
-- [Optimize update delivery for Windows 10 updates](waas-optimize-windows-10-updates.md)
-- [Configure Delivery Optimization for Windows 10 updates](waas-delivery-optimization.md)
-- [Configure BranchCache for Windows 10 updates](waas-branchcache.md)
-- [Deploy updates using Windows Update for Business](waas-manage-updates-wufb.md)
-- [Configure Windows Update for Business](waas-configure-wufb.md)
-- [Integrate Windows Update for Business with management solutions](waas-integrate-wufb.md)
-- [Walkthrough: use Intune to configure Windows Update for Business](/intune/windows-update-for-business-configure)
-- [Deploy Windows 10 updates using Windows Server Update Services](waas-manage-updates-wsus.md)
-- [Deploy Windows 10 updates using Microsoft Endpoint Configuration Manager](/mem/configmgr/osd/deploy-use/manage-windows-as-a-service)
-- [Manage device restarts after updates](waas-restart.md)
\ No newline at end of file
diff --git a/windows/deployment/update/waas-wufb-intune.md b/windows/deployment/update/waas-wufb-intune.md
index 8922733a56..fe639fa3d6 100644
--- a/windows/deployment/update/waas-wufb-intune.md
+++ b/windows/deployment/update/waas-wufb-intune.md
@@ -1,5 +1,5 @@
---
-title: Walkthrough use Intune to configure Windows Update for Business (Windows 10)
+title: Walkthrough use Intune to configure Windows Update for Business
description: In this article, learn how to configure Windows Update for Business settings using Microsoft Intune.
ms.prod: w10
ms.mktglfcycl: manage
diff --git a/windows/deployment/update/windows-update-error-reference.md b/windows/deployment/update/windows-update-error-reference.md
index def8d11796..508a27d244 100644
--- a/windows/deployment/update/windows-update-error-reference.md
+++ b/windows/deployment/update/windows-update-error-reference.md
@@ -17,7 +17,10 @@ ms.custom: seo-marvel-apr2020
# Windows Update error codes by component
-> Applies to: Windows 10
+**Applies to**
+
+- Windows 10
+- Windows 11
This section lists the error codes for Microsoft Windows Update.
diff --git a/windows/deployment/update/windows-update-errors.md b/windows/deployment/update/windows-update-errors.md
index d66be080b0..ac67414ec6 100644
--- a/windows/deployment/update/windows-update-errors.md
+++ b/windows/deployment/update/windows-update-errors.md
@@ -7,34 +7,213 @@ audience: itpro
itproauthor: jaimeo
ms.audience: itpro
author: jaimeo
-ms.reviewer:
+ms.reviewer: kaushika
manager: laurawi
-ms.topic: article
+ms.topic: troubleshooting
ms.custom: seo-marvel-apr2020
---
# Windows Update common errors and mitigation
->Applies to: Windows 10
+**Applies to**
+
+- Windows 10
+- Windows 11
The following table provides information about common errors you might run into with Windows Update, as well as steps to help you mitigate them.
+## 0x8024402F
-| Error Code | Message | Description | Mitigation |
-|------------------------------------------|-----------------------------------|-----------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| 0x8024402F | WU_E_PT_ECP_SUCCEEDED_WITH_ERRORS | External cab file processing completed with some errors | One of the reasons we see this issue is due to the design of a software called Lightspeed Rocket for Web filtering.
Add the IP addresses of devices you want to get updates to the exceptions list of Lightspeed |
-| 0x80242006 | WU_E_UH_INVALIDMETADATA | A handler operation could not be completed because the update contains invalid metadata. | Rename Software Redistribution Folder and attempt to download the updates again:
Rename the following folders to \*.BAK:
- %systemroot%\system32\catroot2
Type the following commands at a command prompt. Press ENTER after you type each command.
- Ren %systemroot%\SoftwareDistribution\DataStore \*.bak
- Ren %systemroot%\SoftwareDistribution\Download \*.bak
Ren %systemroot%\system32\catroot2 \*.bak |
-| 0x80070BC9 | ERROR_FAIL_REBOOT_REQUIRED | The requested operation failed. A system reboot is required to roll back changes made. | Ensure that you don't have any policies that control the start behavior for the Windows Module Installer. This service should be managed by the operating system. |
-| 0x80200053 | BG_E_VALIDATION_FAILED | NA | Ensure that there are no firewalls that filter downloads. Such filtering could lead to incorrect responses being received by the Windows Update Client.
If the issue still persists, run the [Windows Update reset script](https://gallery.technet.microsoft.com/scriptcenter/Reset-Windows-Update-Agent-d824badc). |
-| 0x80072EE2 | WININET_E_TIMEOUT | The operation timed out | This error message can be caused if the computer isn't connected to the Internet. To fix this issue, follow these steps: make sure these URLs are not blocked:
http://.update.microsoft.com
https://.update.microsoft.com
You can also take a network trace to check what is timing out. \
0x80072EFE
0x80D02002 | TIME_OUT_ERRORS | The operation timed out | Make sure there are no firewall rules or proxy to block Microsoft download URLs.
Take a network monitor trace to understand better. \
Review [KB920659](https://support.microsoft.com/help/920659/the-microsoft-windows-server-update-services-wsus-selfupdate-service-d) for instructions to resolve the issue. |
-| 0x80244007 | WU_E_PT_SOAPCLIENT_SOAPFAULT | SOAP client failed because there was a SOAP fault for reasons of WU_E_PT_SOAP_\* error codes. | This issue occurs because Windows cannot renew the cookies for Windows Update.
Review [KB2883975](https://support.microsoft.com/help/2883975/0x80244007-error-when-windows-tries-to-scan-for-updates-on-a-wsus-serv) for instructions to resolve the issue. |
-| 0x80070422 | | This issue occurs when the Windows Update service stops working or is not running. | Check if the Windows Update service is running.
|
+| Message | Description | Mitigation |
+|---------|-------------|------------|
+| WU_E_PT_ECP_SUCCEEDED_WITH_ERRORS | External .cab file processing completed with some errors | This can be caused by the Lightspeed Rocket for web filtering software.
Add the IP addresses of devices you want to get updates to the exceptions list of Lightspeed Rocket. |
+
+## 0x80242006
+
+| Message | Description | Mitigation |
+|---------|-------------|------------|
+| WU_E_UH_INVALIDMETADATA | A handler operation could not be completed because the update contains invalid metadata. | Rename the software redistribution folder and try to download the updates again:
Rename the following folders to \*.BAK:
- %systemroot%\system32\catroot2
Type the following commands at a command prompt. Press ENTER after you type each command.
- Ren %systemroot%\SoftwareDistribution\DataStore \*.bak
- Ren %systemroot%\SoftwareDistribution\Download \*.bak
- Ren %systemroot%\system32\catroot2 \*.bak |
+
+## 0x80070BC9
+
+| Message | Description | Mitigation |
+|---------|-------------|------------|
+| ERROR_FAIL_REBOOT_REQUIRED | The requested operation failed. Restart the system to roll back changes made. | Ensure that you don't have any policies that control the start behavior for the Windows Module Installer. This service should be managed by the operating system. |
+
+## 0x80200053
+
+| Message | Description | Mitigation |
+|---------|-------------|------------|
+| BG_E_VALIDATION_FAILED | NA | Ensure that there are no firewalls that filter downloads. Such filtering could lead to incorrect responses being received by the Windows Update client.
If the issue still persists, run the [Windows Update reset script](https://gallery.technet.microsoft.com/scriptcenter/Reset-Windows-Update-Agent-d824badc).|
+
+## 0x80072EFD or 0x80072EFE or 0x80D02002
+
+| Message | Description | Mitigation |
+|---------|-------------|------------|
+| TIME_OUT_ERRORS | The operation timed out | Make sure there are no firewall rules or proxies that block Microsoft download URLs.
Take a network monitor trace to understand better. \
Review [KB920659](https://support.microsoft.com/help/920659/the-microsoft-windows-server-update-services-wsus-selfupdate-service-d) for instructions to resolve the issue. |
+
+## 0x80244007
+
+| Message | Description | Mitigation |
+|---------|-------------|------------|
+| WU_E_PT_SOAPCLIENT_SOAPFAULT | SOAP client failed because there was a SOAP fault for reasons of WU_E_PT_SOAP_\* error codes. | This issue occurs because Windows can't renew the cookies for Windows Update.
Review [KB2883975](https://support.microsoft.com/help/2883975/0x80244007-error-when-windows-tries-to-scan-for-updates-on-a-wsus-serv) for instructions to resolve the issue. |
+
+## 0x80070422
+
+| Message | Description | Mitigation |
+|---------|-------------|------------|
+| NA | This issue occurs when the Windows Update service stops working or isn't running. | Check if the Windows Update service is running.
|
+
+## 0x800f0821
+
+
+| Message | Description | Mitigation |
+|---------|-------------|------------|
+| CBS_E_ABORT; client abort, IDABORT returned by ICbsUIHandler method except Error() | CBS transaction timeout exceeded. | A servicing operation is taking a long time to complete. The servicing stack watchdog timer expires. Extending the timeout will mitigate the issue. Increase the resources on the device. If a virtual machine, increase virtual CPU and memory to speed up operations. Make sure the has installed the update in KB4493473 or later.|
+
+## 0x800f0825
+
+| Message | Description | Mitigation |
+|---------|-------------|------------|
+| CBS_E_CANNOT_UNINSTALL; Package cannot be uninstalled. | Typically this is due component store corruption caused when a component is in a partially installed state. | Repair the component store with the **Dism RestoreHealth** command or manually repair with a payload from the partially installed component. From an elevated command prompt, run these commands:
*DISM /ONLINE /CLEANUP-IMAGE /SCANHEALTH*
*DISM /ONLINE /CLEANUP-IMAGE /CHECKHEALT*
*DISM /ONLINE /CLEANUP-IMAGE /RESTOREHEALTH*
*Sfc /Scannow*
Restart the device. |
+
+## 0x800F0920
+
+| Message | Description | Mitigation |
+|---------|-------------|------------|
+| CBS_E_HANG_DETECTED; A failure to respond was detected while processing the operation. | Subsequent error logged after getting 0x800f0821 | A servicing operation is taking a long time to complete. The servicing stack watchdog timer expires and assumes the system has stopped responding. Extending the timeout will mitigate the issue. Increase the resources on the device. If a virtual machine, increase virtual CPU and memory to speed up operations. Make sure the device has installed the update in KB4493473 or later.|
+
+## 0x800f081f
+
+| Message | Description | Mitigation |
+|---------|-------------|------------|
+| CBS_E_SOURCE_MISSING; source for package or file not found, ResolveSource() unsuccessful | Component Store corruption | Repair the component store with the **Dism RestoreHealth** command or manually repair with the payload from the partially installed component. From an elevated command prompt and run these commands:
*DISM /ONLINE /CLEANUP-IMAGE /SCANHEALTH*
*DISM /ONLINE /CLEANUP-IMAGE /CHECKHEALT*
*DISM /ONLINE /CLEANUP-IMAGE /RESTOREHEALTH*
*Sfc /Scannow*
Restart the device. |
+
+## 0x800f0831
+
+| Message | Description | Mitigation |
+|---------|-------------|------------|
+| CBS_E_STORE_CORRUPTION; CBS store is corrupted. | Corruption in the Windows Component Store. | Repair the component store with **Dism RestoreHealth** or manually repair with the payload from the partially installed component. From an elevated command prompt and run these commands:
*DISM /ONLINE /CLEANUP-IMAGE /SCANHEALTH*
*DISM /ONLINE /CLEANUP-IMAGE /CHECKHEALT*
*DISM /ONLINE /CLEANUP-IMAGE /RESTOREHEALTH*
*Sfc /Scannow*
Restart the device. |
+
+## 0x80070005
+
+| Message | Description | Mitigation |
+|---------|-------------|------------|
+| E_ACCESSDENIED; General access denied error | File system or registry key permissions have been changed and the servicing stack doesn't have the required level of access. | This error generally means an access was denied.
Go to %Windir%\logs\CBS, open the last CBS.log and search for “, error” and match with the timestamp. After finding the error, scroll up and try to determine what caused the access denial. It could be acess denied to a file, registry key. Determine what object needs the right permissions and change the permissions as needed. |
+
+## 0x80070570
+
+| Message | Description | Mitigation |
+|---------|-------------|------------|
+| ERROR_FILE_CORRUPT; The file or directory is corrupted and unreadable. | Component Store corruption | Repair the component store with **Dism RestoreHealth** or manually repair with the payload from the partially installed component. From an elevated command prompt and run these commands:
*DISM /ONLINE /CLEANUP-IMAGE /SCANHEALTH*
*DISM /ONLINE /CLEANUP-IMAGE /CHECKHEALT*
*DISM /ONLINE /CLEANUP-IMAGE /RESTOREHEALTH*
*Sfc /Scannow*
Restart the device.|
+
+
+## 0x80070003
+
+| Message | Description | Mitigation |
+|---------|-------------|------------|
+| ERROR_PATH_NOT_FOUND; The system cannot find the path specified. | The servicing stack cannot access a specific path. | Indicates an invalid path to an executable. Go to %Windir%\logs\CBS, open the last CBS.log, and search for “, error” and match with the timestamp. |
+
+
+## 0x80070020
+
+| Message | Description | Mitigation |
+|---------|-------------|------------|
+| ERROR_SHARING_VIOLATION | Numerous causes. CBS log analysis required. | This error is usually caused by non-Microsoft filter drivers like antivirus.
1. [Perform a clean boot and retry the installation](https://support.microsoft.com/help/929135/)
2. Download the sysinternal tool [Process Monitor](/sysinternals/downloads/procmon).
3. Run Procmon.exe. It will start data capture automatically.
4. Install the update package again
5. With the Process Monitor main window in focus, press CTRL + E or select the magnifying glass to stop data capture.
6. Select **File > Save > All Events > PML**, and choose a path to save the .PML file
7. Go to %windir%\logs\cbs, open the last Cbs.log file, and search for the error. After finding the error line a bit above, you should have the file being accessed during the installation that is giving the sharing violation error
8. In Process Monitor, filter for path and insert the file name (it should be something like “path” “contains” “filename from CBS”).
9. Try to stop it or uninstall the process causing the error. |
+
+## 0x80073701
+
+| Message | Description | Mitigation |
+|---------|-------------|------------|
+| ERROR_SXS_ASSEMBLY_MISSING; The referenced assembly could not be found. | Typically, a component store corruption caused when a component is in a partially installed state. | Repair the component store with **Dism RestoreHealth command** or manually repair it with the payload from the partially installed component. From an elevated command prompt and run these commands:
*DISM /ONLINE /CLEANUP-IMAGE /SCANHEALTH*
*DISM /ONLINE /CLEANUP-IMAGE /CHECKHEALT*
*DISM /ONLINE /CLEANUP-IMAGE /RESTOREHEALTH*
*Sfc /Scannow*
Restart the device. |
+
+## 0x8007371b
+
+| Message | Description | Mitigation |
+|---------|-------------|------------|
+| ERROR_SXS_TRANSACTION_CLOSURE_INCOMPLETE; One or more required members of the transaction are not present. | Component Store corruption. | Repair the component store with **Dism RestoreHealth command** or manually repair it with the payload from the partially installed component. From an elevated command prompt and run these commands:
*DISM /ONLINE /CLEANUP-IMAGE /SCANHEALTH*
*DISM /ONLINE /CLEANUP-IMAGE /CHECKHEALT*
*DISM /ONLINE /CLEANUP-IMAGE /RESTOREHEALTH*
*Sfc /Scannow*
Restart the device. |
+
+## 0x80072EFE
+
+| Message | Description | Mitigation |
+|---------|-------------|------------|
+| WININET_E_CONNECTION_ABORTED; The connection with the server was closed abnormally | BITS is unable to transfer the file successfully. | Encountered if BITS is broken or if the file being transferred can't be written to the destination folder on the client. This error is usually caused by connection errors while checking or downloading updates.
From a cmd prompt run: *BITSADMIN /LIST /ALLUSERS /VERBOSE*
Search for the 0x80072EFE error code. You should see a reference to an HTTP code with a specific file. Using a browser, try to download it manually, making sure you’re using your organization's proxy settings. If the download fails, check with your proxy manager to allow for the communication to be sucesfull. Also check with your network team for this specific URL access. |
+
+## 0x80072F8F
+
+| Message | Description | Mitigation |
+|---------|-------------|------------|
+| WININET_E_DECODING_FAILED; Content decoding has failed | TLS 1.2 is not configured correctly on the client. | This error generally means that the Windows Update Agent was unable to decode the received content. Install and configure TLS 1.2 by installing the update in [KB3140245](https://support.microsoft.com/help/3140245/).
+
+## 0x80072EE2
+
+| Message | Description | Mitigation |
+|---------|-------------|------------|
+| WININET_E_TIMEOUT; The operation timed out | Unable to scan for updates due to a connectivity issue to Windows Update, Configuration Manager, or WSUS. | This error generally means that the Windows Update Agent was unable to connect to the update servers or your own source, such as WSUS, Configuration Manager, or Microsoft Endpoint Manager.
Check with your network team to ensure that the device can reach the update sources. For more info, see [Troubleshoot software update scan failures in Configuration Manager](/mem/configmgr/troubleshoot-software-update-scan-failures).
If you’re using the public Microsoft update servers, check that your device can access the following Windows Update endpoints:
`http://windowsupdate.microsoft.com`
https://*.windowsupdate.microsoft.com
https://*.windowsupdate.microsoft.com
https://*.update.microsoft.com
https://*.update.microsoft.com
https://*.windowsupdate.com
https://download.windowsupdate.com
https://download.microsoft.com
https://*.download.windowsupdate.com
https://wustat.windows.com
https://ntservicepack.microsoft.com |
+
+## 0x80240022
+
+| Message | Description | Mitigation |
+|---------|-------------|------------|
+| WU_E_ALL_UPDATES_FAILED; Operation failed for all the updates. | Multiple root causes for this error.| Most common issue is that antivirus software is blocking access to certain folders (like SoftwareDistribution). CBS.log analysis needed to determine the file or folder being protected. |
+
+## 0x8024401B
+
+| Message | Description | Mitigation |
+|---------|-------------|------------|
+| WU_E_PT_HTTP_STATUS_PROXY_AUTH_REQ; Same as HTTP status 407 - proxy authentication is required. | Unable to authenticate through a proxy server. | Either the Winhttp proxy or WinInet proxy settings are not configured correctly. This error generally means that the Windows Update Agent was unable to connect to the update servers or your own update source, such as WSUS, Configuration Manager, or Microsoft Endpoint Manager, due to a proxy error.
Verify the proxy settings on the client. The Windows Update Agent uses WinHTTP to scan for available updates. When there is a proxy server between the client and the update source, the proxy settings must be configured correctly on the clients to enable them to communicate by using the source's FQDN.
Check with your network and proxy teams to confirm that the device can the update source without the proxy requiring user authentication. |
+
+
+## 0x80244022
+
+| Message | Description | Mitigation |
+|---------|-------------|------------|
+| WU_E_PT_HTTP_STATUS_SERVICE_UNAVAILABLE; Same as HTTP status 503 - the service is temporarily overloaded. | Unable to connect to the configured update source. | Network troubleshooting needed to resolve the connectivity issue. Check with your network and proxy teams to confirm that the device can the update source without the proxy requiring user authentication. |
diff --git a/windows/deployment/update/windows-update-resources.md b/windows/deployment/update/windows-update-resources.md
index b9eb08a9e3..fd1d2c3d80 100644
--- a/windows/deployment/update/windows-update-resources.md
+++ b/windows/deployment/update/windows-update-resources.md
@@ -18,6 +18,7 @@ author: jaimeo
**Applies to**:
- Windows 10
+- Windows 11
- Windows Server 2016
- Windows Server 2019
diff --git a/windows/deployment/update/windows-update-troubleshooting.md b/windows/deployment/update/windows-update-troubleshooting.md
index 802e6f9aa3..affb4df80e 100644
--- a/windows/deployment/update/windows-update-troubleshooting.md
+++ b/windows/deployment/update/windows-update-troubleshooting.md
@@ -15,13 +15,16 @@ ms.custom: seo-marvel-apr2020
# Windows Update troubleshooting
->Applies to: Windows 10
+**Applies to**
+
+- Windows 10
+- Windows 11
If you run into problems when using Windows Update, start with the following steps:
1. Run the built-in Windows Update troubleshooter to fix common issues. Navigate to **Settings > Update & Security > Troubleshoot > Windows Update**.
-2. Install the most recent Servicing Stack Update (SSU) that matches your version of Windows from the Microsoft Update Catalog. See [Servicing stack updates](servicing-stack-updates.md) for more details on servicing stack updates.
+2. Install the most recent Servicing Stack Update that matches your version of Windows from the Microsoft Update Catalog. See [Servicing stack updates](servicing-stack-updates.md) for more details on servicing stack updates.
3. Make sure that you install the latest Windows updates, cumulative updates, and rollup updates. To verify the update status, refer to the appropriate update history for your system:
@@ -171,11 +174,11 @@ Ensure that devices can reach necessary Windows Update endpoints through the fir
> [!NOTE]
> Be sure not to use HTTPS for those endpoints that specify HTTP, and vice versa. The connection will fail.
-The specific endpoints can vary between Windows 10 versions. See, for example, [Windows 10 2004 Enterprise connection endpoints](/windows/privacy/manage-windows-2004-endpoints). Similar articles for other Windows 10 versions are available in the table of contents nearby.
+The specific endpoints can vary between Windows client versions. See, for example, [Windows 10 2004 Enterprise connection endpoints](/windows/privacy/manage-windows-2004-endpoints). Similar articles for other Windows client versions are available in the table of contents nearby.
## Updates aren't downloading from the intranet endpoint (WSUS or Configuration Manager)
-Windows 10 devices can receive updates from a variety of sources, including Windows Update online, a Windows Server Update Services server, and others. To determine the source of Windows Updates currently being used on a device, follow these steps:
+Windows client devices can receive updates from a variety of sources, including Windows Update online, a Windows Server Update Services server, and others. To determine the source of Windows Updates currently being used on a device, follow these steps:
1. Start Windows PowerShell as an administrator.
2. Run \$MUSM = New-Object -ComObject "Microsoft.Update.ServiceManager".
@@ -186,7 +189,7 @@ Check the output for the Name and OffersWindowsUPdates parameters, which you can
|Output|Meaning|
|-|-|
|- Name: Microsoft Update
-OffersWindowsUpdates: True| - The update source is Microsoft Update, which means that updates for other Microsoft products besides the operating system could also be delivered.
- Indicates that the client is configured to receive updates for all Microsoft Products (Office, etc.) |
-|- Name: DCat Flighting Prod
- OffersWindowsUpdates: True |- Starting with Windows 10 1709, feature updates are always delivered through the DCAT service.
- Indicates that the client is configured to receive feature updates from Windows Update. |
+|- Name: DCat Flighting Prod
- OffersWindowsUpdates: True |- Starting with Windows 10, version 1709, feature updates are always delivered through the DCAT service.
- Indicates that the client is configured to receive feature updates from Windows Update. |
|- Name: Windows Store (DCat Prod)
- OffersWindowsUpdates: False |-The update source is Insider Updates for Store Apps.
- Indicates that the client will not receive or is not configured to receive these updates.|
|- Name: Windows Server Update Service
- OffersWindowsUpdates: True |- The source is a Windows Server Updates Services server.
- The client is configured to receive updates from WSUS. |
|- Name: Windows Update
- OffersWindowsUpdates: True|- The source is Windows Update.
- The client is configured to receive updates from Windows Update Online.|
@@ -230,8 +233,8 @@ As shown in the following logs, automatic update runs the scan and finds no upda
2018-08-06 10:58:47:383 480 5d8 Agent ** END ** Agent: Finding updates [CallerId = AutomaticUpdates Id = 57]
```
-## High bandwidth usage on Windows 10 by Windows Update
-Users might see that Windows 10 is consuming all the bandwidth in the different offices under the system context. This behavior is by design. Components that might consume bandwidth expand beyond Windows Update components.
+## High bandwidth usage on Windows client by Windows Update
+Users might see that Windows is consuming all the bandwidth in the different offices under the system context. This behavior is by design. Components that might consume bandwidth expand beyond Windows Update components.
The following group policies can help mitigate this situation:
diff --git a/windows/deployment/upgrade/log-files.md b/windows/deployment/upgrade/log-files.md
index 5ebee9c364..f7c75013e7 100644
--- a/windows/deployment/upgrade/log-files.md
+++ b/windows/deployment/upgrade/log-files.md
@@ -116,7 +116,7 @@ Some lines in the text below are shortened to enhance readability. The date and
setuperr.log content:
-
+
27:08, Error SP Error READ, 0x00000570 while gathering/applying object: File, C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18 [CN]. Will return 0[gle=0x00000570]
27:08, Error MIG Error 1392 while gathering object C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18 [CN]. Shell application requested abort![gle=0x00000570]
27:08, Error Gather failed. Last error: 0x00000000
@@ -129,7 +129,7 @@ Some lines in the text below are shortened to enhance readability. The date and
The first line indicates there was an error **0x00000570** with the file **C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18 [CN]** (shown below):
-
+
27:08, Error SP Error READ, 0x00000570 while gathering/applying object: File, C:\ProgramData\Microsoft\Crypto\RSA\S-1-5-18 [CN]. Will return 0[gle=0x00000570]
@@ -139,7 +139,7 @@ Therefore, Windows Setup failed because it was not able to migrate the corrupt f
setupact.log content:
-
+
27:00, Info Gather started at 10/5/2016 23:27:00
27:00, Info [0x080489] MIG Setting system object filter context (System)
27:00, Info [0x0803e5] MIG Not unmapping HKCU\Software\Classes; it is not mapped
@@ -164,7 +164,7 @@ Therefore, Windows Setup failed because it was not able to migrate the corrupt f
setupapi.dev.log content:
-
+
>>> [Device Install (UpdateDriverForPlugAndPlayDevices) - PCI\VEN_8086&DEV_8C4F]
>>> Section start 2019/09/26 20:13:01.623
cmd: rundll32.exe "C:\WINDOWS\Installer\MSI6E4C.tmp",zzzzInvokeManagedCustomActionOutOfProc SfxCA_95972906 484 ChipsetWiX.CustomAction!Intel.Deployment.ChipsetWiX.CustomActions.InstallDrivers
diff --git a/windows/deployment/upgrade/upgrade-error-codes.md b/windows/deployment/upgrade/upgrade-error-codes.md
index b5a1b6ea61..93173e687a 100644
--- a/windows/deployment/upgrade/upgrade-error-codes.md
+++ b/windows/deployment/upgrade/upgrade-error-codes.md
@@ -92,13 +92,13 @@ The following tables provide the corresponding phase and operation for values of
@@ -106,45 +106,45 @@ The following tables provide the corresponding phase and operation for values of
Extend code: phase
-Hex Phase
- 0 SP_EXECUTION_UNKNOWN
- 1 SP_EXECUTION_DOWNLEVEL
- 2 SP_EXECUTION_SAFE_OS
- 3 SP_EXECUTION_FIRST_BOOT
- 4 SP_EXECUTION_OOBE_BOOT
- 5 SP_EXECUTION_UNINSTALL
+ Hex Phase
+ 0 SP_EXECUTION_UNKNOWN
+ 1 SP_EXECUTION_DOWNLEVEL
+ 2 SP_EXECUTION_SAFE_OS
+ 3 SP_EXECUTION_FIRST_BOOT
+ 4 SP_EXECUTION_OOBE_BOOT
+ 5 SP_EXECUTION_UNINSTALL
Extend code: operation
-
Hex Operation
- 0 SP_EXECUTION_OP_UNKNOWN
- 1 SP_EXECUTION_OP_COPY_PAYLOAD
- 2 SP_EXECUTION_OP_DOWNLOAD_UPDATES
- 3 SP_EXECUTION_OP_INSTALL_UPDATES
- 4 SP_EXECUTION_OP_INSTALL_RECOVERY_ENVIRONMENT
- 5 SP_EXECUTION_OP_INSTALL_RECOVERY_IMAGE
- 6 SP_EXECUTION_OP_REPLICATE_OC
- 7 SP_EXECUTION_OP_INSTALL_DRVIERS
- 8 SP_EXECUTION_OP_PREPARE_SAFE_OS
- 9 SP_EXECUTION_OP_PREPARE_ROLLBACK
- A SP_EXECUTION_OP_PREPARE_FIRST_BOOT
- B SP_EXECUTION_OP_PREPARE_OOBE_BOOT
- C SP_EXECUTION_OP_APPLY_IMAGE
- D SP_EXECUTION_OP_MIGRATE_DATA
- E SP_EXECUTION_OP_SET_PRODUCT_KEY
- F SP_EXECUTION_OP_ADD_UNATTEND
+ Hex Operation
+ 0 SP_EXECUTION_OP_UNKNOWN
+ 1 SP_EXECUTION_OP_COPY_PAYLOAD
+ 2 SP_EXECUTION_OP_DOWNLOAD_UPDATES
+ 3 SP_EXECUTION_OP_INSTALL_UPDATES
+ 4 SP_EXECUTION_OP_INSTALL_RECOVERY_ENVIRONMENT
+ 5 SP_EXECUTION_OP_INSTALL_RECOVERY_IMAGE
+ 6 SP_EXECUTION_OP_REPLICATE_OC
+ 7 SP_EXECUTION_OP_INSTALL_DRVIERS
+ 8 SP_EXECUTION_OP_PREPARE_SAFE_OS
+ 9 SP_EXECUTION_OP_PREPARE_ROLLBACK
+ A SP_EXECUTION_OP_PREPARE_FIRST_BOOT
+ B SP_EXECUTION_OP_PREPARE_OOBE_BOOT
+ C SP_EXECUTION_OP_APPLY_IMAGE
+ D SP_EXECUTION_OP_MIGRATE_DATA
+ E SP_EXECUTION_OP_SET_PRODUCT_KEY
+ F SP_EXECUTION_OP_ADD_UNATTEND
-
Hex Operation
- 10 SP_EXECUTION_OP_ADD_DRIVER
- 11 SP_EXECUTION_OP_ENABLE_FEATURE
- 12 SP_EXECUTION_OP_DISABLE_FEATURE
- 13 SP_EXECUTION_OP_REGISTER_ASYNC_PROCESS
- 14 SP_EXECUTION_OP_REGISTER_SYNC_PROCESS
- 15 SP_EXECUTION_OP_CREATE_FILE
- 16 SP_EXECUTION_OP_CREATE_REGISTRY
- 17 SP_EXECUTION_OP_BOOT
- 18 SP_EXECUTION_OP_SYSPREP
- 19 SP_EXECUTION_OP_OOBE
- 1A SP_EXECUTION_OP_BEGIN_FIRST_BOOT
- 1B SP_EXECUTION_OP_END_FIRST_BOOT
- 1C SP_EXECUTION_OP_BEGIN_OOBE_BOOT
- 1D SP_EXECUTION_OP_END_OOBE_BOOT
- 1E SP_EXECUTION_OP_PRE_OOBE
- 1F SP_EXECUTION_OP_POST_OOBE
- 20 SP_EXECUTION_OP_ADD_PROVISIONING_PACKAGE
+ Hex Operation
+ 10 SP_EXECUTION_OP_ADD_DRIVER
+ 11 SP_EXECUTION_OP_ENABLE_FEATURE
+ 12 SP_EXECUTION_OP_DISABLE_FEATURE
+ 13 SP_EXECUTION_OP_REGISTER_ASYNC_PROCESS
+ 14 SP_EXECUTION_OP_REGISTER_SYNC_PROCESS
+ 15 SP_EXECUTION_OP_CREATE_FILE
+ 16 SP_EXECUTION_OP_CREATE_REGISTRY
+ 17 SP_EXECUTION_OP_BOOT
+ 18 SP_EXECUTION_OP_SYSPREP
+ 19 SP_EXECUTION_OP_OOBE
+ 1A SP_EXECUTION_OP_BEGIN_FIRST_BOOT
+ 1B SP_EXECUTION_OP_END_FIRST_BOOT
+ 1C SP_EXECUTION_OP_BEGIN_OOBE_BOOT
+ 1D SP_EXECUTION_OP_END_OOBE_BOOT
+ 1E SP_EXECUTION_OP_PRE_OOBE
+ 1F SP_EXECUTION_OP_POST_OOBE
+ 20 SP_EXECUTION_OP_ADD_PROVISIONING_PACKAGE
Set USMT_WORKING_DIR=[path to working directory]Set USMT_WORKING_DIR=[path to working directory]
Set MIG_OFFLINE_PLATFORM_ARCH=32Set MIG_OFFLINE_PLATFORM_ARCH=32
+<pattern type="File">C:\Program Files\Microsoft Office[.doc]</pattern><pattern type="File">C:\Program Files\Microsoft Office[.doc]</pattern>
<pattern type="File">d:\new folder[new text document.txt]</pattern><pattern type="File">d:\new folder[new text document.txt]</pattern>
<pattern type="File">d:\new folder[]</pattern><pattern type="File">d:\new folder[]</pattern>
-
<merge script="MigXmlHelper.DestinationPriority()">
+<merge script="MigXmlHelper.DestinationPriority()">
<objectSet>
<pattern type="File">c:\data* []</pattern>
</objectSet>
@@ -423,7 +423,7 @@ For this example, the following table describes the resulting behavior if you ad
-
<merge script="MigXmlHelper.SourcePriority()">
+<merge script="MigXmlHelper.SourcePriority()">
<objectSet>
<pattern type="File">c:\data* []</pattern>
</objectSet>
@@ -432,7 +432,7 @@ For this example, the following table describes the resulting behavior if you ad
- <merge script="MigXmlHelper.SourcePriority()">
+<merge script="MigXmlHelper.SourcePriority()">
<objectSet>
<pattern type="File">c:\data\ [*]</pattern>
</objectSet>
diff --git a/windows/deployment/usmt/usmt-custom-xml-examples.md b/windows/deployment/usmt/usmt-custom-xml-examples.md
index 5314d52e8e..5096af5a77 100644
--- a/windows/deployment/usmt/usmt-custom-xml-examples.md
+++ b/windows/deployment/usmt/usmt-custom-xml-examples.md
@@ -119,15 +119,15 @@ The following is a custom .xml file named CustomFile.xml that migrates My Videos
-
<condition>MigXmlHelper.DoesObjectExist("File","%CSIDL_MYVIDEO%")</condition><condition>MigXmlHelper.DoesObjectExist("File","%CSIDL_MYVIDEO%")</condition>
-
<include filter='MigXmlHelper.IgnoreIrrelevantLinks()'><include filter='MigXmlHelper.IgnoreIrrelevantLinks()'>
-
@@ -176,19 +176,19 @@ This table describes the behavior in the following example .xml file.
<pattern type="File">%CSIDL_MYVIDEO%* [*]</pattern><pattern type="File">%CSIDL_MYVIDEO%* [*]</pattern>
-
<pattern type="File">%ProgramFiles%\USMTTestFolder* [USMTTestFile.txt]</pattern><pattern type="File">%ProgramFiles%\USMTTestFolder* [USMTTestFile.txt]</pattern>
-
<pattern type="File">%ProgramFiles%\USMTDIRTestFolder* []</pattern><pattern type="File">%ProgramFiles%\USMTDIRTestFolder* []</pattern>
-
<pattern type="Registry">HKCU\Software\USMTTESTKEY* [MyKey]</pattern><pattern type="Registry">HKCU\Software\USMTTESTKEY* [MyKey]</pattern>
-
diff --git a/windows/deployment/usmt/usmt-xml-elements-library.md b/windows/deployment/usmt/usmt-xml-elements-library.md
index 9f2a90a4f5..c97dfbadb0 100644
--- a/windows/deployment/usmt/usmt-xml-elements-library.md
+++ b/windows/deployment/usmt/usmt-xml-elements-library.md
@@ -3465,7 +3465,7 @@ Syntax:
<pattern type="Registry">HKLM\Software\USMTTESTKEY* []</pattern><pattern type="Registry">HKLM\Software\USMTTESTKEY* []</pattern><component context="UserAndSystem" type="Application">
+<component context="UserAndSystem" type="Application">
<displayName _locID="migapp.msoffice2003">Microsoft Office 2003</displayName>
<environment name="GlobalEnv" />
<role role="Container">
diff --git a/windows/deployment/vda-subscription-activation.md b/windows/deployment/vda-subscription-activation.md
index 25ae02c985..a7081e65f1 100644
--- a/windows/deployment/vda-subscription-activation.md
+++ b/windows/deployment/vda-subscription-activation.md
@@ -1,7 +1,7 @@
---
-title: Configure VDA for Windows 10 Subscription Activation
+title: Configure VDA for Windows 10/11 Subscription Activation
ms.reviewer:
-manager: laurawi
+manager: dougeby
ms.audience: itpro
ms.author: greglin
author: greg-lindsay
@@ -18,9 +18,13 @@ ms.topic: article
ms.collection: M365-modern-desktop
---
-# Configure VDA for Windows 10 Subscription Activation
+# Configure VDA for Windows 10/11 Subscription Activation
-This document describes how to configure virtual machines (VMs) to enable [Windows 10 Subscription Activation](windows-10-subscription-activation.md) in a Windows Virtual Desktop Access (VDA) scenario. Windows VDA is a device or user-based licensing mechanism for managing access to virtual desktops.
+Applies to:
+- Windows 10
+- Windows 11
+
+This document describes how to configure virtual machines (VMs) to enable [Windows 10/11 Subscription Activation](windows-10-subscription-activation.md) in a Windows Virtual Desktop Access (VDA) scenario. Windows VDA is a device or user-based licensing mechanism for managing access to virtual desktops.
Deployment instructions are provided for the following scenarios:
1. [Active Directory-joined VMs](#active-directory-joined-vms)
@@ -29,31 +33,31 @@ Deployment instructions are provided for the following scenarios:
## Requirements
-- VMs must be running Windows 10 Pro, version 1703 (also known as the Creator's Update) or later.
+- VMs must be running Windows 10 Pro, version 1703 or later. Windows 11 is "later" in this context.
- VMs must be Active Directory-joined or Azure Active Directory (AAD)-joined.
-- VMs must be generation 1.
-- VMs must be hosted by a [Qualified Multitenant Hoster](https://www.microsoft.com/en-us/CloudandHosting/licensing_sca.aspx) (QMTH).
+- VMs must be hosted by a Qualified Multitenant Hoster (QMTH).
+ - For more information, see [Qualified Multitenant Hoster Program](https://download.microsoft.com/download/3/D/4/3D445779-2870-4E3D-AFCB-D35D2E1BC095/QMTH%20Authorized%20Partner%20List.pdf) (PDF download).
## Activation
### Scenario 1
-- The VM is running Windows 10, version 1803 or later.
-- The VM is hosted in Azure or another [Qualified Multitenant Hoster](https://www.microsoft.com/en-us/CloudandHosting/licensing_sca.aspx) (QMTH).
+- The VM is running Windows 10, version 1803 or later (ex: Windows 11).
+- The VM is hosted in Azure or another Qualified Multitenant Hoster (QMTH).
- When a user with VDA rights signs in to the VM using their AAD credentials, the VM is automatically stepped-up to Enterprise and activated. There is no need to perform Windows 10 Pro activation. This eliminates the need to maintain KMS or MAK in the qualifying cloud infrastructure.
+ When a user with VDA rights signs in to the VM using their AAD credentials, the VM is automatically stepped-up to Enterprise and activated. There is no need to perform Windows 10/11 Pro activation. This eliminates the need to maintain KMS or MAK in the qualifying cloud infrastructure.
### Scenario 2
- The Hyper-V host and the VM are both running Windows 10, version 1803 or later.
- [Inherited Activation](./windows-10-subscription-activation.md#inherited-activation) is enabled. All VMs created by a user with a Windows 10 E3 or E5 license are automatically activated independent of whether a user signs in with a local account or using an Azure Active Directory account.
+ [Inherited Activation](./windows-10-subscription-activation.md#inherited-activation) is enabled. All VMs created by a user with a Windows 10/11 E3 or E5 license are automatically activated independent of whether a user signs in with a local account or using an Azure Active Directory account.
### Scenario 3
-- The VM is running Windows 10, version 1703 or 1709, or the hoster is not an authorized [QMTH](https://www.microsoft.com/en-us/CloudandHosting/licensing_sca.aspx) partner.
+- The VM is running Windows 10, version 1703 or 1709, or the hoster is not an authorized [QMTH](https://download.microsoft.com/download/3/D/4/3D445779-2870-4E3D-AFCB-D35D2E1BC095/QMTH%20Authorized%20Partner%20List.pdf) partner.
- In this scenario, the underlying Windows 10 Pro license must be activated prior to Subscription Activation of Windows 10 Enterprise. Activation is accomplished using a Windows 10 Pro Generic Volume License Key (GVLK) and a Volume License KMS activation server provided by the hoster. Alternatively, a KMS activation server can be used. KMS activation is provided for Azure VMs. For more information, see [Troubleshoot Azure Windows virtual machine activation problems](/azure/virtual-machines/troubleshooting/troubleshoot-activation-problems).
+ In this scenario, the underlying Windows 10/11 Pro license must be activated prior to Subscription Activation of Windows 10/11 Enterprise. Activation is accomplished using a Generic Volume License Key (GVLK) and a Volume License KMS activation server provided by the hoster. Alternatively, a KMS activation server can be used. KMS activation is provided for Azure VMs. For more information, see [Troubleshoot Azure Windows virtual machine activation problems](/azure/virtual-machines/troubleshooting/troubleshoot-activation-problems).
For examples of activation issues, see [Troubleshoot the user experience](./deploy-enterprise-licenses.md#troubleshoot-the-user-experience).
@@ -147,6 +151,6 @@ To create custom RDP settings for Azure:
## Related topics
-[Windows 10 Subscription Activation](windows-10-subscription-activation.md)
+[Windows 10/11 Subscription Activation](windows-10-subscription-activation.md)
[Recommended settings for VDI desktops](/windows-server/remote/remote-desktop-services/rds-vdi-recommendations)
[Licensing the Windows Desktop for VDI Environments](https://download.microsoft.com/download/1/1/4/114A45DD-A1F7-4910-81FD-6CAF401077D0/Microsoft%20VDI%20and%20VDA%20FAQ%20v3%200.pdf)
\ No newline at end of file
diff --git a/windows/deployment/wds-boot-support.md b/windows/deployment/wds-boot-support.md
new file mode 100644
index 0000000000..f141ef1446
--- /dev/null
+++ b/windows/deployment/wds-boot-support.md
@@ -0,0 +1,112 @@
+---
+title: Windows Deployment Services (WDS) boot.wim support
+description: This article provides details on the support capabilities of WDS for end to end operating system deployment.
+ms.prod: w11
+ms.mktglfcycl: plan
+ms.localizationpriority: medium
+ms.sitesec: library
+audience: itpro
+author: greg-lindsay
+ms.author: greglin
+manager: laurawi
+ms.topic: article
+ms.custom: seo-marvel-apr2020
+---
+
+# Windows Deployment Services (WDS) boot.wim support
+
+Applies to:
+- Windows 10
+- Windows 11
+
+The operating system deployment functionality of [Windows Deployment Services](/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/hh831764(v=ws.11)) (WDS) is being partially deprecated. Starting with Windows 11, workflows that rely on **boot.wim** from installation media or on running Windows Setup in WDS mode will no longer be supported.
+
+When you PXE-boot from a WDS server that uses the **boot.wim** file from installation media as its boot image, Windows Setup automatically launches in WDS mode. This workflow is deprecated for Windows 11 and newer boot images. The following deprecation message is displayed:
+
+ 
+
+## Deployment scenarios affected
+
+The table below provides support details for specific deployment scenarios.
+
+
+
+
+
+## Reason for the change
+
+Alternatives to WDS, such as [Microsoft Endpoint Configuration Manager](/mem/configmgr/) and [Microsoft Deployment Toolkit](/mem/configmgr/mdt/) (MDT) provide a better, more flexible, and feature-rich experience for deploying Windows images.
+
+## Not affected
+
+WDS PXE boot is not affected by this change. You can still use WDS to PXE boot devices with custom boot images, but you cannot use **boot.wim** as the boot image and run Windows Setup in WDS mode.
+
+You can still run Windows Setup from a network share. Workflows that use a custom boot.wim, such as MDT or Configuration Manager are not affected by this change.
+
+## Summary
+
+- Windows 11 workflows that rely on **boot.wim** from installation media will be blocked. You cannot perform an end to end deployment of Windows 11 using only WDS.
+- Windows 10, Windows Server 2019, and previous operating system versions are not affected by this change.
+- Windows Server 2022 workflows that rely on **boot.wim** from installation media will show a non-blocking deprecation notice. The notice can be dismissed, and currently the workflow is not blocked.
+- Windows Server workflows after Windows Server 2022 that rely on **boot.wim** from installation media are blocked.
+
+If you currently use WDS with **boot.wim** from installation media for end-to-end operating system deployment, and your OS version is not supported, deprecated, or blocked, it is recommended that you use deployment tools such as MDT, Configuration Manager, or a non-Microsoft solution with a custom boot.wim image.
+
+## Also see
+
+[Features removed or no longer developed starting with Windows Server 2022](/windows-server/get-started/removed-deprecated-features-windows-server-2022#features-were-no-longer-developing)
+
+
+
+ Windows 10
+ Windows Server 2016
+ Windows Server 2019
+ Windows Server 2022
+ Windows 11
+
+
+
+
+
Boot image version
+
+ Windows 10
+ Supported, using a boot image from matching or newer version.
+ Supported, using a boot image from Windows 10, version 1607 or later.
+ Supported, using a boot image from Windows 10, version 1809 or later.
+ Not supported.
+ Not supported.
+
+
+ Windows Server 2016
+ Supported, using a boot image from Windows 10, version 1607 or later.
+ Supported.
+ Not supported.
+ Not supported.
+ Not supported.
+
+
+ Windows Server 2019
+ Supported, using a boot image from Windows 10, version 1809 or later.
+ Supported.
+ Supported.
+ Not supported.
+ Not supported.
+
+
+ Windows Server 2022
+ Deprecated, with a warning message.
+ Deprecated, with a warning message.
+ Deprecated, with a warning message.
+ Deprecated, with a warning message.
+ Not supported.
+
+
+ Windows 11
+ Not supported, blocked.
+ Not supported, blocked.
+ Not supported, blocked.
+ Not supported, blocked.
+ Not supported, blocked.
+
+[Create a custom Windows PE boot image with Configuration Manager](deploy-windows-cm/create-a-custom-windows-pe-boot-image-with-configuration-manager.md)
+[Prepare for deployment with MDT](deploy-windows-mdt/prepare-for-windows-deployment-with-mdt.md)
\ No newline at end of file
diff --git a/windows/deployment/windows-10-deployment-scenarios.md b/windows/deployment/windows-10-deployment-scenarios.md
index 6bba5bcd04..7bbf4ab431 100644
--- a/windows/deployment/windows-10-deployment-scenarios.md
+++ b/windows/deployment/windows-10-deployment-scenarios.md
@@ -30,109 +30,109 @@ The following table summarizes various Windows 10 deployment scenarios. The scen
- Traditional deployment methods use existing tools to deploy operating system images.
-
-## Deployment of Windows 10 Enterprise E3 licenses
+## Deployment of Windows 10/11 Enterprise E3 licenses
See [Deploy Windows 10 Enterprise licenses](deploy-enterprise-licenses.md).
-## Deploy Windows 10 Enterprise features
+## Deploy Windows 10/11 Enterprise features
-Now that you have Windows 10 Enterprise edition running on devices, how do you take advantage of the Enterprise edition features and capabilities? What are the next steps that need to be taken for each of the features discussed in [Table 1](#compare-windows10-pro-and-enterprise-editions)?
+Now that you have Windows 10/11 Enterprise edition running on devices, how do you take advantage of the Enterprise edition features and capabilities? What are the next steps that need to be taken for each of the features discussed in [Table 1](#compare-windows10-pro-and-enterprise-editions)?
-The following sections provide you with the high-level tasks that need to be performed in your environment to help users take advantage of the Windows 10 Enterprise edition features.
+The following sections provide you with the high-level tasks that need to be performed in your environment to help users take advantage of the Windows 10/11 Enterprise edition features.
### Credential Guard\*
-You can implement Credential Guard on Windows 10 Enterprise devices by turning on Credential Guard on these devices. Credential Guard uses Windows 10 virtualization-based security features (Hyper-V features) that must be enabled on each device before you can turn on Credential Guard. You can turn on Credential Guard by using one of the following methods:
+You can implement Credential Guard on Windows 10 Enterprise devices by turning on Credential Guard on these devices. Credential Guard uses Windows 10/11 virtualization-based security features (Hyper-V features) that must be enabled on each device before you can turn on Credential Guard. You can turn on Credential Guard by using one of the following methods:
- **Automated**. You can automatically turn on Credential Guard for one or more devices by using Group Policy. The Group Policy settings automatically add the virtualization-based security features and configure the Credential Guard registry settings on managed devices.
@@ -174,7 +174,7 @@ For more information about implementing Credential Guard, see the following reso
### Device Guard
-Now that the devices have Windows 10 Enterprise, you can implement Device Guard on the Windows 10 Enterprise devices by performing the following steps:
+Now that the devices have Windows 10/11 Enterprise, you can implement Device Guard on the Windows 10 Enterprise devices by performing the following steps:
1. **Optionally, create a signing certificate for code integrity policies**. As you deploy code integrity policies, you might need to sign catalog files or code integrity policies internally. To do this, you will either need a publicly issued code signing certificate (that you purchase) or an internal certificate authority (CA). If you choose to use an internal CA, you will need to create a code signing certificate.
@@ -197,7 +197,7 @@ For more information about implementing Device Guard, see:
### AppLocker management
-You can manage AppLocker in Windows 10 Enterprise by using Group Policy. Group Policy requires that the you have AD DS and that the Windows 10 Enterprise devices are joined to the your AD DS domain. You can create AppLocker rules by using Group Policy, and then target those rules to the appropriate devices.
+You can manage AppLocker in Windows 10 Enterprise by using Group Policy. Group Policy requires that the you have AD DS and that the Windows 10/11 Enterprise devices are joined to the your AD DS domain. You can create AppLocker rules by using Group Policy, and then target those rules to the appropriate devices.
For more information about AppLocker management by using Group Policy, see [AppLocker deployment guide](/windows/security/threat-protection/windows-defender-application-control/applocker/applocker-policies-deployment-guide).
@@ -209,7 +209,7 @@ App-V requires an App-V server infrastructure to support App-V clients. The prim
- **App-V sequencer**. The App-V sequencer is a typical client device that is used to sequence (capture) apps and prepare them for hosting from the App-V server. You install apps on the App-V sequencer, and the App-V sequencer software determines the files and registry settings that are changed during app installation. Then the sequencer captures these settings to create a virtualized app.
-- **App-V client**. The App-V client must be enabled on any client device on which apps will be run from the App-V server. These will be the Windows 10 Enterprise E3 devices.
+- **App-V client**. The App-V client must be enabled on any client device on which apps will be run from the App-V server. These will be the Windows 10/11 Enterprise E3 devices.
For more information about implementing the App-V server, App-V sequencer, and App-V client, see the following resources:
@@ -253,7 +253,7 @@ The Managed User Experience feature is a set of Windows 10 Enterprise edition f
## Related topics
-[Windows 10 Enterprise Subscription Activation](windows-10-subscription-activation.md)
-Category
- Scenario
- Description
- More information Category
+ Scenario
+ Description
+ More information Modern
[Windows Autopilot](#windows-autopilot)
-
+
Customize the out-of-box-experience (OOBE) for your organization, and deploy a new system with apps and settings already configured.
-
+
Overview of Windows Autopilot
-
+
[In-place upgrade](#in-place-upgrade)
-
+
Use Windows Setup to update your OS and migrate apps and settings. Rollback data is saved in Windows.old.
-
+
Perform an in-place upgrade to Windows 10 with MDT
Perform an in-place upgrade to Windows 10 using Configuration Manager
-
+
Dynamic
-
+
[Subscription Activation](#windows-10-subscription-activation)
-
+
Switch from Windows 10 Pro to Enterprise when a subscribed user signs in.
-
+
Windows 10 Subscription Activation
-
+
[AAD / MDM](#dynamic-provisioning)
-
+
The device is automatically joined to AAD and configured by MDM.
-
+
Azure Active Directory integration with MDM
-
+
[Provisioning packages](#dynamic-provisioning)
-
+
Using the Windows Imaging and Configuration Designer tool, create provisioning packages that can be applied to devices.
-
+
Configure devices without MDM
-
+
Traditional
-
+
[Bare metal](#new-computer)
-
+
Deploy a new device, or wipe an existing device and deploy with a fresh image.
-
+
Deploy a Windows 10 image using MDT
Deploy Windows 10 using PXE and Configuration Manager
-
+
[Refresh](#computer-refresh)
-
+
Also called wipe and load. Redeploy a device by saving the user state, wiping the disk, then restoring the user state.
-
+
Refresh a Windows 7 computer with Windows 10
Refresh a Windows 7 SP1 client with Windows 10 using Configuration Manager
-
diff --git a/windows/deployment/windows-10-enterprise-e3-overview.md b/windows/deployment/windows-10-enterprise-e3-overview.md
index 33fe4e9e80..a4d743c9db 100644
--- a/windows/deployment/windows-10-enterprise-e3-overview.md
+++ b/windows/deployment/windows-10-enterprise-e3-overview.md
@@ -1,15 +1,15 @@
---
-title: Windows 10 Enterprise E3 in CSP
-description: Describes Windows 10 Enterprise E3, an offering that delivers, by subscription, the features of Windows 10 Enterprise edition.
+title: Windows 10/11 Enterprise E3 in CSP
+description: Describes Windows 10/11 Enterprise E3, an offering that delivers, by subscription, the features of Windows 10/11 Enterprise edition.
keywords: upgrade, update, task sequence, deploy
ms.prod: w10
ms.mktglfcycl: deploy
ms.localizationpriority: medium
ms.sitesec: library
ms.pagetype: mdt
-ms.date: 08/24/2017
+ms.date: 09/28/2021
ms.reviewer:
-manager: laurawi
+manager: dougeby
ms.audience: itpro
author: greg-lindsay
audience: itpro
@@ -17,51 +17,51 @@ ms.collection: M365-modern-desktop
ms.topic: article
---
-# Windows 10 Enterprise E3 in CSP
+# Windows 10/11 Enterprise E3 in CSP
-Windows 10 Enterprise E3 launched in the Cloud Solution Provider (CSP) channel on September 1, 2016. Windows 10 Enterprise E3 in CSP is a new offering that delivers, by subscription, exclusive features reserved for Windows 10 Enterprise edition. This offering is available through the Cloud Solution Provider (CSP) channel via the Partner Center as an online service. Windows 10 Enterprise E3 in CSP provides a flexible, per-user subscription for small- and medium-sized organizations (from one to hundreds of users). To take advantage of this offering, you must have the following:
+Applies to:
+- Windows 10
+- Windows 11
-- Windows 10 Pro, version 1607 (Windows 10 Anniversary Update) or later, installed and activated, on the devices to be upgraded
+Windows 10 Enterprise E3 launched in the Cloud Solution Provider (CSP) channel on September 1, 2016. With the release of Windows 11, Windows 10/11 Enterprise E3 in CSP is available.
+
+Windows 10/11 Enterprise E3 in CSP delivers, by subscription, exclusive features reserved for Windows 10 or Windows 11 Enterprise editions. This offering is available through the Cloud Solution Provider (CSP) channel via the Partner Center as an online service. Windows 10/11 Enterprise E3 in CSP provides a flexible, per-user subscription for small- and medium-sized organizations (from one to hundreds of users). To take advantage of this offering, you must have the following:
+
+- Windows 10 Pro, version 1607 (Windows 10 Anniversary Update) or later (or Windows 11), installed and activated, on the devices to be upgraded.
- Azure Active Directory (Azure AD) available for identity management
-Starting with Windows 10, version 1607 (Windows 10 Anniversary Update), you can move from Windows 10 Pro to Windows 10 Enterprise more easily than ever before—no keys and no reboots. After one of your users enters the Azure AD credentials associated with a Windows 10 Enterprise E3 license, the operating system turns from Windows 10 Pro to Windows 10 Enterprise and all the appropriate Windows 10 Enterprise features are unlocked. When a subscription license expires or is transferred to another user, the Windows 10 Enterprise device seamlessly steps back down to Windows 10 Pro.
+You can move from Windows 10 Pro or Windows 11 Pro to Windows 10 Enterprise or Windows 11 Enterprise more easily than ever before — with no keys, and no reboots. After one of your users enters the Azure AD credentials associated with a Windows 10/11 Enterprise E3 license, the operating system turns from Windows 10 Pro to Windows 10 Enterprise or Windows 11 Pro to Windows 11 Enterprise, and all the appropriate Enterprise features are unlocked. When a subscription license expires or is transferred to another user, the Enterprise device seamlessly steps back down to Windows 10 Pro or Windows 11 Pro.
-Previously, only organizations with a Microsoft Volume Licensing Agreement could deploy Windows 10 Enterprise to their users. Now, with Windows 10 Enterprise E3 in CSP, small- and medium-sized organizations can more easily take advantage of Windows 10 Enterprise features.
+Previously, only organizations with a Microsoft Volume Licensing Agreement could deploy Windows 10 Enterprise or Windows 11 Enterprise to their users. Now, with Windows 10/11 Enterprise E3 in CSP, small- and medium-sized organizations can more easily take advantage of Enterprise edition features.
-When you purchase Windows 10 Enterprise E3 via a partner, you get the following benefits:
-
-- **Windows 10 Enterprise edition**. Devices currently running Windows 10 Pro, version 1607 can get Windows 10 Enterprise Current Branch (CB) or Current Branch for Business (CBB). This benefit does not include Long Term Service Branch (LTSB).
-
-- **Support from one to hundreds of users**. Although the Windows 10 Enterprise E3 in CSP program does not have a limitation on the number of licenses an organization can have, the program is designed for small- and medium-sized organizations.
+When you purchase Windows 10/11 Enterprise E3 via a partner, you get the following benefits:
+- **Windows 10/11 Enterprise edition**. Devices currently running Windows 10 Pro or Windows 11 Pro can get Windows 10/11 Enterprise Current Branch (CB) or Current Branch for Business (CBB). This benefit does not include Long Term Service Branch (LTSB).
+- **Support from one to hundreds of users**. Although the Windows 10/11 Enterprise E3 in CSP program does not have a limitation on the number of licenses an organization can have, the program is designed for small- and medium-sized organizations.
- **Deploy on up to five devices**. For each user covered by the license, you can deploy Windows 10 Enterprise edition on up to five devices.
-
-- **Roll back to Windows 10 Pro at any time**. When a user’s subscription expires or is transferred to another user, the Windows 10 Enterprise device reverts seamlessly to Windows 10 Pro edition (after a grace period of up to 90 days).
-
-- **Monthly, per-user pricing model**. This makes Windows 10 Enterprise E3 affordable for any organization.
-
+- **Roll back to Windows 10/11 Pro at any time**. When a user’s subscription expires or is transferred to another user, the Windows 10/11 Enterprise device reverts seamlessly to Windows 10/11 Pro edition (after a grace period of up to 90 days).
+- **Monthly, per-user pricing model**. This makes Windows 10/11 Enterprise E3 affordable for any organization.
- **Move licenses between users**. Licenses can be quickly and easily reallocated from one user to another user, allowing you to optimize your licensing investment against changing needs.
-How does the Windows 10 Enterprise E3 in CSP program compare with Microsoft Volume Licensing Agreements and Software Assurance?
+How does the Windows 10/11 Enterprise E3 in CSP program compare with Microsoft Volume Licensing Agreements and Software Assurance?
- [Microsoft Volume Licensing](https://www.microsoft.com/licensing/default.aspx) programs are broader in scope, providing organizations with access to licensing for all Microsoft products.
-
- [Software Assurance](https://www.microsoft.com/Licensing/licensing-programs/software-assurance-default.aspx) provides organizations with the following categories of benefits:
- **Deployment and management**. These benefits include planning services, Microsoft Desktop Optimization (MDOP), Windows Virtual Desktop Access Rights, Windows-To-Go Rights, Windows Roaming Use Rights, Windows Thin PC, Windows RT Companion VDA Rights, and other benefits.
-
- **Training**. These benefits include training vouchers, online e-learning, and a home use program.
-
- **Support**. These benefits include 24x7 problem resolution support, backup capabilities for disaster recovery, System Center Global Service Monitor, and a passive secondary instance of SQL Server.
-
- **Specialized**. These benefits include step-up licensing availability (which enables you to migrate software from an earlier edition to a higher-level edition) and to spread license and Software Assurance payments across three equal, annual sums.
- In addition, in Windows 10 Enterprise E3 in CSP, a partner can manage your licenses for you. With Software Assurance, you, the customer, manage your own licenses.
+ In addition, in Windows 10/11 Enterprise E3 in CSP, a partner can manage your licenses for you. With Software Assurance, you, the customer, manage your own licenses.
-In summary, the Windows 10 Enterprise E3 in CSP program is an upgrade offering that provides small- and medium-sized organizations easier, more flexible access to the benefits of Windows 10 Enterprise edition, whereas Microsoft Volume Licensing programs and Software Assurance are broader in scope and provide benefits beyond access to Windows 10 Enterprise edition.
+In summary, the Windows 10/11 Enterprise E3 in CSP program is an upgrade offering that provides small- and medium-sized organizations easier, more flexible access to the benefits of Windows 10 Enterprise edition, whereas Microsoft Volume Licensing programs and Software Assurance are broader in scope and provide benefits beyond access to the Enterprise edition of Windows 10 or Windows 11.
## Compare Windows 10 Pro and Enterprise editions
+> [!NOTE]
+> The following table only lists Windows 10. More information will be available about differences between Windows 11 editions after Windows 11 is generally available.
+
Windows 10 Enterprise edition has a number of features that are unavailable in Windows 10 Pro. Table 1 lists the Windows 10 Enterprise features not found in Windows 10 Pro. Many of these features are security-related, whereas others enable finer-grained device management.
*Table 1. Windows 10 Enterprise features not found in Windows 10 Pro*
@@ -140,19 +140,19 @@ Windows 10 Enterprise edition has a number of features that are unavailable in
+
[Replace](#computer-replace)
-
+
Replace an existing device with a new one by saving the user state on the old device and then restoring it to the new device.
-
+
Replace a Windows 7 computer with a Windows 10 computer
Replace a Windows 7 SP1 client with Windows 10 using Configuration Manager
[Connect domain-joined devices to Azure AD for Windows 10 experiences](/azure/active-directory/devices/hybrid-azuread-join-plan)
-
[Compare Windows 10 editions](https://www.microsoft.com/WindowsForBusiness/Compare)
-
[Windows for business](https://www.microsoft.com/windowsforbusiness/default.aspx)
\ No newline at end of file
+[Windows 10/11 Enterprise Subscription Activation](windows-10-subscription-activation.md)
+[Connect domain-joined devices to Azure AD for Windows 10 experiences](/azure/active-directory/devices/hybrid-azuread-join-plan)
+[Compare Windows 10 editions](https://www.microsoft.com/WindowsForBusiness/Compare)
+[Windows for business](https://www.microsoft.com/windowsforbusiness/default.aspx)
\ No newline at end of file
diff --git a/windows/deployment/windows-10-poc-mdt.md b/windows/deployment/windows-10-poc-mdt.md
index 9d18e1af46..99a97d2f55 100644
--- a/windows/deployment/windows-10-poc-mdt.md
+++ b/windows/deployment/windows-10-poc-mdt.md
@@ -46,7 +46,7 @@ Topics and procedures in this guide are summarized in the following table. An es
-
+
Topic Description Time
@@ -226,8 +226,8 @@ A reference image serves as the foundation for Windows 10 devices in your organi
26. Open a Windows PowerShell prompt on the Hyper-V host computer and type the following commands:
-
-
+
+
New-VM REFW10X64-001 -SwitchName poc-internal -NewVHDPath "c:\VHD\REFW10X64-001.vhdx" -NewVHDSizeBytes 60GB
Set-VMMemory REFW10X64-001 -DynamicMemoryEnabled $true -MinimumBytes 1024MB -MaximumBytes 1024MB -Buffer 20
diff --git a/windows/deployment/windows-10-poc.md b/windows/deployment/windows-10-poc.md
index d4a667a65b..3855f4698d 100644
--- a/windows/deployment/windows-10-poc.md
+++ b/windows/deployment/windows-10-poc.md
@@ -55,7 +55,7 @@ Topics and procedures in this guide are summarized in the following table. An es
-
+
Topic Description Time
+
@@ -179,7 +179,7 @@ Starting with Windows 8, the host computer’s microprocessor must support secon
1. To verify your computer supports SLAT, open an administrator command prompt, type **systeminfo**, press ENTER, and review the section displayed at the bottom of the output, next to Hyper-V Requirements. See the following example:
-
+
C:\>systeminfo
...
@@ -195,7 +195,7 @@ Starting with Windows 8, the host computer’s microprocessor must support secon
You can also identify Hyper-V support using [tools](/archive/blogs/taylorb/hyper-v-will-my-computer-run-hyper-v-detecting-intel-vt-and-amd-v) provided by the processor manufacturer, the [msinfo32](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc731397(v=ws.11)) tool, or you can download the [coreinfo](/sysinternals/downloads/coreinfo) utility and run it, as shown in the following example:
-
+
C:\>coreinfo -v
Coreinfo v3.31 - Dump information on system CPU and memory topology
@@ -214,11 +214,11 @@ Starting with Windows 8, the host computer’s microprocessor must support secon
2. The Hyper-V feature is not installed by default. To install it, open an elevated Windows PowerShell window and type the following command:
- Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V -All
+ Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V -All
This command works on all operating systems that support Hyper-V, but on Windows Server operating systems you must type an additional command to add the Hyper-V Windows PowerShell module and the Hyper-V Manager console. This command will also install Hyper-V if it isn't already installed, so if desired you can just type the following command on Windows Server 2012 or 2016 instead of using the Enable-WindowsOptionalFeature command:
- Install-WindowsFeature -Name Hyper-V -IncludeManagementTools
+ Install-WindowsFeature -Name Hyper-V -IncludeManagementTools
When you are prompted to restart the computer, choose **Yes**. The computer might restart more than once. After installation is complete, you can open Hyper-V Manager by typing **virtmgmt.msc** at an elevated command prompt.
@@ -256,7 +256,7 @@ After completing these steps, you will have three files in the **C:\VHD** direct
The following displays the procedures described in this section, both before and after downloading files:
-
+
C:>mkdir VHD
C:>cd VHD
C:\VHD>ren 9600*.vhd 2012R2-poc-1.vhd
@@ -301,7 +301,7 @@ If you have a PC available to convert to VM (computer 2):
When creating a VM in Hyper-V, you must specify either generation 1 or generation 2. The following table describes requirements for these two types of VMs.
-
+
@@ -331,13 +331,13 @@ If the PC is running a 32-bit OS or the OS is Windows 7, it must be converted to
- To determine the OS and architecture of a PC, type **systeminfo** at a command prompt and review the output next to **OS Name** and **System Type**.
- To determine the partition style, open a Windows PowerShell prompt on the PC and type the following command:
-
+
Get-WmiObject -Class Win32_DiskPartition | Select-Object -Property SystemName,Caption,Type
If the **Type** column does not indicate GPT, then the disk partition format is MBR ("Installable File System" = MBR). In the following example, the disk is GPT:
-
+
PS C:> Get-WmiObject -Class Win32_DiskPartition | Select-Object -Property SystemName,Caption,Type
SystemName Caption Type
@@ -348,7 +348,7 @@ USER-PC1 Disk #0, Partition #1 GPT
On a computer running Windows 8 or later, you can also type **Get-Disk** at a Windows PowerShell prompt to discover the partition style. The default output of this cmdlet displays the partition style for all attached disks. Both commands are displayed below. In this example, the client computer is running Windows 8.1 and uses a GPT style partition format:
-
+
PS C:> Get-WmiObject -Class Win32_DiskPartition | Select-Object -Property SystemName,Caption,Type
SystemName Caption Type
@@ -372,7 +372,7 @@ Number Friendly Name OperationalStatus Tota
The following table displays the Hyper-V VM generation to choose based on the OS, architecture, and partition style. Links to procedures to create the corresponding VMs are included.
-
+
Similar to manage-bde, the Windows PowerShell cmdlets allow configuration beyond the options offered in the control panel. As with manage-bde, users need to consider the specific needs of the volume they are encrypting prior to running Windows PowerShell cmdlets.
+
A good initial step is to determine the current state of the volume(s) on the computer. You can do this using the
@@ -455,7 +455,7 @@ Notes:
5. When the Disk2vhd utility has completed converting the source computer to a VHD, copy the VHDX file (w7.vhdx) to your Hyper-V host in the C:\VHD directory. There should now be four files in this directory:
-
+
C:\vhd>dir /B
2012R2-poc-1.vhd
2012R2-poc-2.vhd
@@ -471,7 +471,7 @@ Notes:
2. On the computer you wish to convert, open an elevated command prompt and type the following command:
- mountvol s: /s
+ mountvol s: /s
This command temporarily assigns a drive letter of S to the system volume and mounts it. If the letter S is already assigned to a different volume on the computer, then choose one that is available (ex: mountvol z: /s).
@@ -488,7 +488,7 @@ Notes:
6. When the Disk2vhd utility has completed converting the source computer to a VHD, copy the VHDX file (PC1.vhdx) to your Hyper-V host in the C:\VHD directory. There should now be four files in this directory:
-
+
C:\vhd>dir /B
2012R2-poc-1.vhd
2012R2-poc-2.vhd
@@ -512,7 +512,7 @@ Notes:
5. When the Disk2vhd utility has completed converting the source computer to a VHD, copy the VHD file (w7.vhd) to your Hyper-V host in the C:\VHD directory. There should now be four files in this directory:
-
+
C:\vhd>dir /B
2012R2-poc-1.vhd
2012R2-poc-2.vhd
@@ -531,7 +531,7 @@ Notes:
To ensure that enhanced session mode is enabled on the Hyper-V host, type the following command at an elevated Windows PowerShell prompt on the Hyper-V host:
-Set-VMhost -EnableEnhancedSessionMode $TRUE
+Set-VMhost -EnableEnhancedSessionMode $TRUE
>If enhanced session mode was not previously enabled, close any existing virtual machine connections and re-open them to enable access to enhanced session mode. As mentioned previously: instructions to "type" commands provided in this guide can be typed, but the preferred method is to copy and paste these commands. Most of the commands to this point in the guide have been brief, but many commands in sections below are longer and more complex.
@@ -541,7 +541,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
1. To add available space for the partition, type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host:
-
+
Resize-VHD -Path c:\VHD\2012R2-poc-2.vhd -SizeBytes 100GB
$x = (Mount-VHD -Path c:\VHD\2012R2-poc-2.vhd -passthru | Get-Disk | Get-Partition | Get-Volume).DriveLetter
Resize-Partition -DriveLetter $x -Size (Get-PartitionSupportedSize -DriveLetter $x).SizeMax
@@ -549,7 +549,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
2. Verify that the mounted VHD drive is resized to 100 GB, and then dismount the drive:
-
+
Get-Volume -DriveLetter $x
Dismount-VHD -Path c:\VHD\2012R2-poc-2.vhd
@@ -563,7 +563,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
C) Replace each instance of "poc-external" used in this guide with the name of your existing external virtual switch
If you choose B) or C), then do not run the second command below.
-
+
New-VMSwitch -Name poc-internal -SwitchType Internal -Notes "PoC Network"
New-VMSwitch -Name poc-external -NetAdapterName (Get-NetAdapter |?{$_.Status -eq "Up" -and !$_.Virtual}).Name -Notes "PoC External"
@@ -574,7 +574,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
2. At the elevated Windows PowerShell prompt, type the following command to determine the megabytes of RAM that are currently available on the Hyper-V host:
-
+
(Get-VMHostNumaNode).MemoryAvailable
@@ -582,7 +582,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
3. Determine the available memory for VMs by dividing the available RAM by 4. For example:
-
+
(Get-VMHostNumaNode).MemoryAvailable/4
2775.5
@@ -592,7 +592,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
4. At the elevated Windows PowerShell prompt, type the following command to create two new VMs. Other VMs will be added later.
>**Important**: Replace the value of 2700MB for $maxRAM in the first command below with the RAM value that you calculated in the previous step.
-
+
$maxRAM = 2700MB
New-VM -Name "DC1" -VHDPath c:\vhd\2012R2-poc-1.vhd -SwitchName poc-internal
Set-VMMemory -VMName "DC1" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes $maxRAM -Buffer 20
@@ -609,7 +609,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
To create a generation 1 VM (using c:\vhd\w7.vhdx):
-
+
New-VM -Name "PC1" -VHDPath c:\vhd\w7.vhdx -SwitchName poc-internal
Set-VMMemory -VMName "PC1" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes $maxRAM -Buffer 20
Enable-VMIntegrationService -Name "Guest Service Interface" -VMName PC1
@@ -617,7 +617,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
To create a generation 2 VM (using c:\vhd\PC1.vhdx):
-
+
New-VM -Name "PC1" -Generation 2 -VHDPath c:\vhd\PC1.vhdx -SwitchName poc-internal
Set-VMMemory -VMName "PC1" -DynamicMemoryEnabled $true -MinimumBytes 512MB -MaximumBytes $maxRAM -Buffer 20
Enable-VMIntegrationService -Name "Guest Service Interface" -VMName PC1
@@ -629,7 +629,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
First, type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host to create a temporary VHD that will be used to save the OS image. Do not forget to include a pipe (|) at the end of the first five commands:
-
+
New-VHD -Path c:\vhd\d.vhd -SizeBytes 1TB |
Mount-VHD -Passthru |
Get-Disk -Number {$_.DiskNumber} |
@@ -641,7 +641,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
Next, create the PC1 VM with two attached VHDs, and boot to DVD ($maxram must be defined previously using the same Windows PowerShell prompt):
-
+
New-VM -Name "PC1" -VHDPath c:\vhd\w7.vhd -SwitchName poc-internal
Add-VMHardDiskDrive -VMName PC1 -Path c:\vhd\d.vhd
Set-VMDvdDrive -VMName PC1 -Path c:\vhd\w10-enterprise.iso
@@ -659,13 +659,13 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
4. Click **Command Prompt**.
5. Type the following command to save an image of the OS drive:
-
+
dism /Capture-Image /ImageFile:D:\c.wim /CaptureDir:C:\ /Name:Drive-C
6. Wait for the OS image to complete saving, and then type the following commands to convert the C: drive to MBR:
-
+
diskpart
select disk 0
clean
@@ -681,7 +681,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
7. Type the following commands to restore the OS image and boot files:
-
+
dism /Apply-Image /ImageFile:D:\c.wim /Index:1 /ApplyDir:C:\
bcdboot c:\windows
exit
@@ -691,7 +691,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
9. Click **Ctrl+Alt+Del**, and then in the bottom right corner, click **Shut down**.
10. Type the following commands at an elevated Windows PowerShell prompt on the Hyper-V host to remove the temporary disks and drives from PC1:
-
+
Remove-VMHardDiskDrive -VMName PC1 -ControllerType IDE -ControllerNumber 0 -ControllerLocation 1
Set-VMDvdDrive -VMName PC1 -Path $null
@@ -700,7 +700,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
1. At an elevated Windows PowerShell prompt on the Hyper-V host, start the first Windows Server VM and connect to it by typing the following commands:
-
+
Start-VM DC1
vmconnect localhost DC1
@@ -710,7 +710,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
4. Right-click **Start**, point to **Shut down or sign out**, and click **Sign out**. The VM connection will reset and a new connection dialog box will appear enabling you to choose a custom display configuration. Select a desktop size, click **Connect** and sign in again with the local Administrator account. Note: Signing in this way ensures that [enhanced session mode](/windows-server/virtualization/hyper-v/learn-more/Use-local-resources-on-Hyper-V-virtual-machine-with-VMConnect) is enabled. It is only necessary to do this the first time you sign in to a new VM.
5. If DC1 is configured as described in this guide, it will currently be assigned an APIPA address, have a randomly generated hostname, and a single network adapter named "Ethernet." Open an elevated Windows PowerShell prompt on DC1 and type or paste the following commands to provide a new hostname and configure a static IP address and gateway:
-
+
Rename-Computer DC1
New-NetIPAddress -InterfaceAlias Ethernet -IPAddress 192.168.0.1 -PrefixLength 24 -DefaultGateway 192.168.0.2
Set-DnsClientServerAddress -InterfaceAlias Ethernet -ServerAddresses 192.168.0.1,192.168.0.2
@@ -722,19 +722,19 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
6. Install the Active Directory Domain Services role by typing the following command at an elevated Windows PowerShell prompt:
-
+
Install-WindowsFeature -Name AD-Domain-Services -IncludeAllSubFeature -IncludeManagementTools
7. Before promoting DC1 to a Domain Controller, you must reboot so that the name change in step 3 above takes effect. To restart the computer, type the following command at an elevated Windows PowerShell prompt:
-
+
Restart-Computer
8. When DC1 has rebooted, sign in again and open an elevated Windows PowerShell prompt. Now you can promote the server to be a domain controller. The directory services restore mode password must be entered as a secure string. Type the following commands at the elevated Windows PowerShell prompt:
-
+
$pass = "pass@word1" | ConvertTo-SecureString -AsPlainText -Force
Install-ADDSForest -DomainName contoso.com -InstallDns -SafeModeAdministratorPassword $pass -Force
@@ -743,7 +743,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
9. When the reboot has completed, reconnect to DC1, sign in using the CONTOSO\Administrator account, open an elevated Windows PowerShell prompt, and use the following commands to add a reverse lookup zone for the PoC network, add the DHCP Server role, authorize DHCP in Active Directory, and suppress the post-DHCP-install alert:
-
+
Add-DnsServerPrimaryZone -NetworkID "192.168.0.0/24" -ReplicationScope Forest
Add-WindowsFeature -Name DHCP -IncludeManagementTools
netsh dhcp add securitygroups
@@ -754,7 +754,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
10. Next, add a DHCP scope and set option values:
-
+
Add-DhcpServerv4Scope -Name "PoC Scope" -StartRange 192.168.0.100 -EndRange 192.168.0.199 -SubnetMask 255.255.255.0 -Description "Windows 10 PoC" -State Active
Set-DhcpServerv4OptionValue -ScopeId 192.168.0.0 -DnsDomain contoso.com -Router 192.168.0.2 -DnsServer 192.168.0.1,192.168.0.2 -Force
@@ -763,13 +763,13 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
11. The DNS server role will also be installed on the member server, SRV1, at 192.168.0.2 so that we can forward DNS queries from DC1 to SRV1 to resolve Internet names without having to configure a forwarder outside the PoC network. Since the IP address of SRV1 already exists on DC1's network adapter, it will be automatically added during the DCPROMO process. To verify this server-level DNS forwarder on DC1, type the following command at an elevated Windows PowerShell prompt on DC1:
-
+
Get-DnsServerForwarder
The following output should be displayed:
-
+
UseRootHint : True
Timeout(s) : 3
EnableReordering : True
@@ -779,7 +779,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
If this output is not displayed, you can use the following command to add SRV1 as a forwarder:
-
+
Add-DnsServerForwarder -IPAddress 192.168.0.2
@@ -791,7 +791,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
On DC1, open an elevated Windows PowerShell prompt and type the following commands:
-
+
New-ADUser -Name User1 -UserPrincipalName user1 -Description "User account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -Enabled $true
New-ADUser -Name MDT_BA -UserPrincipalName MDT_BA -Description "MDT Build Account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -Enabled $true
New-ADUser -Name CM_JD -UserPrincipalName CM_JD -Description "Configuration Manager Join Domain Account" -AccountPassword (ConvertTo-SecureString "pass@word1" -AsPlainText -Force) -ChangePasswordAtLogon $false -Enabled $true
@@ -810,7 +810,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
13. If the PC1 VM is not started yet, using an elevated Windows PowerShell prompt on the Hyper-V host, start the client VM (PC1), and connect to it:
-
+
Start-VM PC1
vmconnect localhost PC1
@@ -866,7 +866,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
18. Minimize the PC1 window and switch to the Hyper-V host computer. Open an elevated Windows PowerShell ISE window on the Hyper-V host (right-click Windows PowerShell and then click **Run ISE as Administrator**) and type the following commands in the (upper) script editor pane:
-
+
(Get-WmiObject Win32_ComputerSystem).UnjoinDomainOrWorkgroup($null,$null,0)
$pass = "pass@word1" | ConvertTo-SecureString -AsPlainText -Force
$user = "contoso\administrator"
@@ -884,7 +884,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
19. Click **File**, click **Save As**, and save the commands as **c:\VHD\pc1.ps1** on the Hyper-V host.
20. In the (lower) terminal input window, type the following commands to enable Guest Service Interface on PC1 and then use this service to copy the script to PC1:
-
+
Enable-VMIntegrationService -VMName PC1 -Name "Guest Service Interface"
Copy-VMFile "PC1" -SourcePath "C:\VHD\pc1.ps1" -DestinationPath "C:\pc1.ps1" -CreateFullPath -FileSource Host
@@ -895,7 +895,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
21. On PC1, type the following commands at an elevated Windows PowerShell prompt:
-
+
Get-Content c:\pc1.ps1 | powershell.exe -noprofile -
@@ -906,7 +906,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
23. Minimize the PC1 window but do not turn it off while the second Windows Server 2012 R2 VM (SRV1) is configured. This verifies that the Hyper-V host has enough resources to run all VMs simultaneously. Next, SRV1 will be started, joined to the contoso.com domain, and configured with RRAS and DNS services.
24. On the Hyper-V host computer, at an elevated Windows PowerShell prompt, type the following commands:
-
+
Start-VM SRV1
vmconnect localhost SRV1
@@ -915,7 +915,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
26. Sign in to SRV1 using the local administrator account. In the same way that was done on DC1, sign out of SRV1 and then sign in again to enable enhanced session mode. This will enable you to copy and paste Windows PowerShell commands from the Hyper-V host to the VM.
27. Open an elevated Windows PowerShell prompt on SRV1 and type the following commands:
-
+
Rename-Computer SRV1
New-NetIPAddress -InterfaceAlias Ethernet -IPAddress 192.168.0.2 -PrefixLength 24
Set-DnsClientServerAddress -InterfaceAlias Ethernet -ServerAddresses 192.168.0.1,192.168.0.2
@@ -927,7 +927,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
28. Wait for the computer to restart, sign in again, then type the following commands at an elevated Windows PowerShell prompt:
-
+
$pass = "pass@word1" | ConvertTo-SecureString -AsPlainText -Force
$user = "contoso\administrator"
$cred = New-Object System.Management.Automation.PSCredential($user,$pass)
@@ -937,7 +937,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
29. Sign in to the contoso.com domain on SRV1 using the domain administrator account (enter contoso\administrator as the user), open an elevated Windows PowerShell prompt, and type the following commands:
-
+
Install-WindowsFeature -Name DNS -IncludeManagementTools
Install-WindowsFeature -Name WDS -IncludeManagementTools
Install-WindowsFeature -Name Routing -IncludeManagementTools
@@ -947,7 +947,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
To view a list of interfaces, associated interface aliases, and IP addresses on SRV1, type the following Windows PowerShell command. Example output of the command is also shown below:
-
+
Get-NetAdapter | ? status -eq ‘up’ | Get-NetIPAddress -AddressFamily IPv4 | ft IPAddress, InterfaceAlias
IPAddress InterfaceAlias
@@ -964,7 +964,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
31. To configure SRV1 with routing capability for the PoC network, type or paste the following commands at an elevated Windows PowerShell prompt on SRV1:
-
+
Install-RemoteAccess -VpnType Vpn
cmd /c netsh routing ip nat install
cmd /c netsh routing ip nat add interface name="Ethernet 2" mode=FULL
@@ -974,13 +974,13 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
32. The DNS service on SRV1 also needs to resolve hosts in the `contoso.com` domain. This can be accomplished with a conditional forwarder. Open an elevated Windows PowerShell prompt on SRV1 and type the following command:
-
+
Add-DnsServerConditionalForwarderZone -Name contoso.com -MasterServers 192.168.0.1
33. In most cases, this completes configuration of the PoC network. However, if your corporate network has a firewall that filters queries from local DNS servers, you will also need to configure a server-level DNS forwarder on SRV1 to resolve Internet names. To test whether or not DNS is working without this forwarder, try to reach a name on the Internet from DC1 or PC1, which are only using DNS services on the PoC network. You can test DNS with the ping command, for example:
-
+
ping www.microsoft.com
@@ -988,13 +988,13 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
**Note**: This command also assumes that "Ethernet 2" is the external-facing network adapter on SRV1. If the external adapter has a different name, replace "Ethernet 2" in the command below with that name:
-
+
Add-DnsServerForwarder -IPAddress (Get-DnsClientServerAddress -InterfaceAlias "Ethernet 2").ServerAddresses
34. If DNS and routing are both working correctly, you will see the following on DC1 and PC1 (the IP address might be different, but that is OK):
-
+
PS C:\> ping www.microsoft.com
Pinging e2847.dspb.akamaiedge.net [23.222.146.170] with 32 bytes of data:
@@ -1012,7 +1012,7 @@ The second Windows Server 2012 R2 VHD needs to be expanded in size from 40GB to
35. Verify that all three VMs can reach each other, and the Internet. See [Appendix A: Verify the configuration](#appendix-a-verify-the-configuration) for more information.
36. Lastly, because the client computer has different hardware after copying it to a VM, its Windows activation will be invalidated and you might receive a message that you must activate Windows in 3 days. To extend this period to 30 days, type the following commands at an elevated Windows PowerShell prompt on PC1:
-
+
runas /noprofile /env /user:administrator@contoso.com "cmd /c slmgr -rearm"
Restart-Computer
@@ -1025,7 +1025,7 @@ Use the following procedures to verify that the PoC environment is configured pr
1. On DC1, open an elevated Windows PowerShell prompt and type the following commands:
-
+
Get-Service NTDS,DNS,DHCP
DCDiag -a
Get-DnsServerResourceRecord -ZoneName contoso.com -RRType A
@@ -1047,7 +1047,7 @@ Use the following procedures to verify that the PoC environment is configured pr
2. On SRV1, open an elevated Windows PowerShell prompt and type the following commands:
-
+
Get-Service DNS,RemoteAccess
Get-DnsServerForwarder
Resolve-DnsName -Server dc1.contoso.com -Name www.microsoft.com
@@ -1063,7 +1063,7 @@ Use the following procedures to verify that the PoC environment is configured pr
3. On PC1, open an elevated Windows PowerShell prompt and type the following commands:
-
+
whoami
hostname
nslookup www.microsoft.com
@@ -1082,7 +1082,7 @@ Use the following procedures to verify that the PoC environment is configured pr
+
@@ -62,4 +62,4 @@ The following image shows the field for EAP XML in a Microsoft Intune VPN profil
- [VPN name resolution](vpn-name-resolution.md)
- [VPN auto-triggered profile options](vpn-auto-trigger-profile.md)
- [VPN security features](vpn-security-features.md)
-- [VPN profile options](vpn-profile-options.md)
\ No newline at end of file
+- [VPN profile options](vpn-profile-options.md)
diff --git a/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md b/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md
index 44b05da541..128afcfee9 100644
--- a/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md
+++ b/windows/security/identity-protection/vpn/vpn-auto-trigger-profile.md
@@ -1,13 +1,13 @@
---
-title: VPN auto-triggered profile options (Windows 10)
-description: Learn about the types of auto-trigger rules for VPNs in Windows 10, which start a VPN when it is needed to access a resource.
+title: VPN auto-triggered profile options (Windows 10 and Windows 11)
+description: Learn about the types of auto-trigger rules for VPNs in Windows, which start a VPN when it is needed to access a resource.
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security, networking
author: dansimp
ms.localizationpriority: medium
-ms.date: 07/27/2017
+ms.date: 09/23/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -17,9 +17,9 @@ ms.author: dansimp
**Applies to**
- Windows 10
-- Windows 10 Mobile
+- Windows 11
-In Windows 10, a number of features were added to auto-trigger VPN so users won’t have to manually connect when VPN is needed to access necessary resources. There are three different types of auto-trigger rules:
+In Windows 10 and Windows 11, a number of features have been added to auto-trigger VPN so users won’t have to manually connect when VPN is needed to access necessary resources. There are three different types of auto-trigger rules:
- App trigger
- Name-based trigger
@@ -31,7 +31,7 @@ In Windows 10, a number of features were added to auto-trigger VPN so users won
## App trigger
-VPN profiles in Windows 10 can be configured to connect automatically on the launch of a specified set of applications. You can configure desktop or Universal Windows Platform (UWP) apps to trigger a VPN connection. You can also configure per-app VPN and specify traffic rules for each app. See [Traffic filters](vpn-security-features.md#traffic-filters) for more details.
+VPN profiles in Windows 10 or Windows 11 can be configured to connect automatically on the launch of a specified set of applications. You can configure desktop or Universal Windows Platform (UWP) apps to trigger a VPN connection. You can also configure per-app VPN and specify traffic rules for each app. See [Traffic filters](vpn-security-features.md#traffic-filters) for more details.
The app identifier for a desktop app is a file path. The app identifier for a UWP app is a package family name.
@@ -54,7 +54,7 @@ There are four types of name-based triggers:
## Always On
-Always On is a feature in Windows 10 which enables the active VPN profile to connect automatically on the following triggers:
+Always On is a feature in Windows 10 and Windows 11 which enables the active VPN profile to connect automatically on the following triggers:
- User sign-in
- Network change
diff --git a/windows/security/identity-protection/vpn/vpn-conditional-access.md b/windows/security/identity-protection/vpn/vpn-conditional-access.md
index 66baa88e46..068d41d1a5 100644
--- a/windows/security/identity-protection/vpn/vpn-conditional-access.md
+++ b/windows/security/identity-protection/vpn/vpn-conditional-access.md
@@ -1,5 +1,5 @@
---
-title: VPN and conditional access (Windows 10)
+title: VPN and conditional access (Windows 10 and Windows 11)
description: Learn how to integrate the VPN client with the Conditional Access Platform, so you can create access rules for Azure Active Directory (Azure AD) connected apps.
ms.prod: w10
ms.mktglfcycl: deploy
@@ -10,12 +10,12 @@ ms.author: dansimp
manager: dansimp
ms.reviewer:
ms.localizationpriority: medium
-ms.date: 03/21/2019
+ms.date: 09/23/2021
---
# VPN and conditional access
->Applies to: Windows 10 and Windows 10 Mobile
+>Applies to: Windows 10 and Windows 11
The VPN client is now able to integrate with the cloud-based Conditional Access Platform to provide a device compliance option for remote clients. Conditional Access is a policy-based evaluation engine that lets you create access rules for any Azure Active Directory (Azure AD) connected application.
@@ -91,7 +91,7 @@ The VPN client side connection flow works as follows:
When a VPNv2 Profile is configured with \Term
diff --git a/windows/deployment/windows-10-subscription-activation.md b/windows/deployment/windows-10-subscription-activation.md
index 16e8c70c2a..4d6d62258a 100644
--- a/windows/deployment/windows-10-subscription-activation.md
+++ b/windows/deployment/windows-10-subscription-activation.md
@@ -1,6 +1,6 @@
---
-title: Windows 10 Subscription Activation
-description: In this article, you will learn how to dynamically enable Windows 10 Enterprise or Education subscriptions.
+title: Windows 10/11 Subscription Activation
+description: In this article, you will learn how to dynamically enable Windows 10 and Windows 11 Enterprise or Education subscriptions.
keywords: upgrade, update, task sequence, deploy
ms.custom: seo-marvel-apr2020
ms.prod: w10
@@ -10,52 +10,60 @@ ms.sitesec: library
ms.pagetype: mdt
audience: itpro
author: greg-lindsay
-manager: laurawi
+manager: dougeby
ms.collection: M365-modern-desktop
search.appverid:
- MET150
ms.topic: article
---
-# Windows 10 Subscription Activation
+# Windows 10/11 Subscription Activation
-Starting with Windows 10, version 1703 Windows 10 Pro supports the Subscription Activation feature, enabling users to “step-up” from Windows 10 Pro to **Windows 10 Enterprise** automatically if they are subscribed to Windows 10 Enterprise E3 or E5.
+Applies to:
+- Windows 10
+- Windows 11
-With Windows 10, version 1903 the Subscription Activation feature also supports the ability to step-up from Windows 10 Pro Education to the Enterprise grade edition for educational institutions—**Windows 10 Education**.
+Starting with Windows 10, version 1703, Windows 10 Pro supports the Subscription Activation feature, enabling users to “step-up” from Windows 10 Pro or Windows 11 Pro to **Windows 10 Enterprise** or **Windows 11 Enterprise**, respectively, if they are subscribed to Windows 10/11 Enterprise E3 or E5.
-The Subscription Activation feature eliminates the need to manually deploy Windows 10 Enterprise or Education images on each target device, then later standing up on-prem key management services such as KMS or MAK based activation, entering Generic Volume License Keys (GVLKs), and subsequently rebooting client devices.
+With Windows 10, version 1903 and later, the Subscription Activation feature also supports the ability to step-up from Windows 10 Pro Education or Windows 11 Pro Education to the Enterprise grade editions for educational institutions—**Windows 10 Education** or **Windows 11 Education**.
-## Subscription Activation for Windows 10 Enterprise
+The Subscription Activation feature eliminates the need to manually deploy Enterprise or Education edition images on each target device, then later standing up on-prem key management services such as KMS or MAK based activation, entering Generic Volume License Keys (GVLKs), and subsequently rebooting client devices.
-With Windows 10, version 1703 both Windows 10 Enterprise E3 and Windows 10 Enterprise E5 are available as online services via subscription. Deploying [Windows 10 Enterprise](planning/windows-10-enterprise-faq-itpro.yml) in your organization can now be accomplished with no keys and no reboots.
+See the following topics:
+
+- [Subscription Activation](#subscription-activation-for-windows-1011-enterprise): An introduction to Subscription Activation for Windows 10/11 Enterprise.
+- [Subscription Activation for Education](#subscription-activation-for-windows-1011-enterprise): Information about Subscription Activation for Windows 10/11 Education.
+- [Inherited Activation](#inherited-activation): Description of a new feature available in Windows 10, version 1803 and later.
+- [The evolution of deployment](#the-evolution-of-deployment): A short history of Windows deployment.
+- [Requirements](#requirements): Prerequisites to use the Windows 10/11 Subscription Activation model.
+- [Benefits](#benefits): Advantages of subscription-based licensing.
+- [How it works](#how-it-works): A summary of the subscription-based licensing option.
+- [Virtual Desktop Access (VDA)](#virtual-desktop-access-vda): How to enable Windows 10 Subscription Activation for VMs in the cloud.
+
+For information on how to deploy Enterprise licenses, see [Deploy Windows 10/11 Enterprise licenses](deploy-enterprise-licenses.md).
+
+## Subscription Activation for Windows 10/11 Enterprise
+
+With Windows 10, version 1703 and later both Windows 10/11 Enterprise E3 and Windows 10/11 Enterprise E5 are available as online services via subscription. Deploying Windows 10 Enterprise or Windows 11 Enterprise in your organization can now be accomplished with no keys and no reboots.
If you are running Windows 10, version 1703 or later:
-
-- Devices with a current Windows 10 Pro license can be seamlessly upgraded to Windows 10 Enterprise.
-- Product key-based Windows 10 Enterprise software licenses can be transitioned to Windows 10 Enterprise subscriptions.
+- Devices with a current Windows 10 Pro license or Windows 11 Pro license can be seamlessly upgraded to Windows 10 Enterprise or Windows 11 Enterprise, respectively.
+- Product key-based Windows 10 Enterprise or Windows 11 Enterprise software licenses can be transitioned to Windows 10 Enterprise and Windows 11 Enterprise subscriptions.
Organizations that have an Enterprise agreement can also benefit from the new service, using traditional Active Directory-joined devices. In this scenario, the Active Directory user that signs in on their device must be synchronized with Azure AD using [Azure AD Connect Sync](/azure/active-directory/connect/active-directory-aadconnectsync-whatis).
-## Subscription Activation for Windows 10 Education
+> [!NOTE]
+> The Subscription Activation feature is available for qualifying devices running Windows 10 or Windows 11. You cannot use Subscription Activation to upgrade from Windows 10 to Windows 11.
-Subscription Activation for Education works the same as the Enterprise version, but in order to use Subscription Activation for Education, you must have a device running Windows 10 Pro Education, version 1903 or later and an active subscription plan with a Windows 10 Enterprise license. For more information, see the [requirements](#windows-10-education-requirements) section.
+## Subscription Activation for Education
-## Summary
-
-- [Inherited Activation](#inherited-activation): Description of a new feature available in Windows 10, version 1803 and later.
-- [The evolution of Windows 10 deployment](#the-evolution-of-deployment): A short history of Windows deployment.
-- [Requirements](#requirements): Prerequisites to use the Windows 10 Subscription Activation model.
-- [Benefits](#benefits): Advantages of Windows 10 subscription-based licensing.
-- [How it works](#how-it-works): A summary of the subscription-based licensing option.
-- [Virtual Desktop Access (VDA)](#virtual-desktop-access-vda): Enable Windows 10 Subscription Activation for VMs in the cloud.
-
-For information on how to deploy Windows 10 Enterprise licenses, see [Deploy Windows 10 Enterprise licenses](deploy-enterprise-licenses.md).
+Subscription Activation for Education works the same as the Enterprise version, but in order to use Subscription Activation for Education, you must have a device running Windows 10 Pro Education, version 1903 or later (or Windows 11) and an active subscription plan with a Windows 10/11 Enterprise license. For more information, see the [requirements](#windows-1011-education-requirements) section.
## Inherited Activation
-Inherited Activation is a new feature available in Windows 10, version 1803 that allows Windows 10 virtual machines to inherit activation state from their Windows 10 host.
+Inherited Activation is a new feature available in Windows 10, version 1803 or later (Windows 11 is considered "later" here) that allows Windows 10/11 virtual machines to inherit activation state from their Windows 10/11 host.
-When a user with Windows 10 E3/E5 or A3/A5 license assigned creates a new Windows 10 virtual machine (VM) using a Windows 10 local host, the VM inherits the activation state from a host machine independent of whether user signs on with a local account or using an Azure Active Directory (AAD) account on a VM.
+When a user with Windows 10/11 E3/E5 or A3/A5 license assigned creates a new Windows 10 or Windows 11 virtual machine (VM) using a Windows 10/11 local host, the VM inherits the activation state from a host machine independent of whether user signs on with a local account or using an Azure Active Directory (AAD) account on a VM.
To support Inherited Activation, both the host computer and the VM must be running Windows 10, version 1803 or later. The hypervisor platform must also be Windows Hyper-V.
@@ -63,43 +71,35 @@ To support Inherited Activation, both the host computer and the VM must be runni
> The original version of this section can be found at [Changing between Windows SKUs](/archive/blogs/mniehaus/changing-between-windows-skus).
-The following figure illustrates how deploying Windows 10 has evolved with each release. With this release, deployment is automatic.
-
-
+The following list illustrates how deploying Windows client has evolved with each release:
- **Windows 7** required you to redeploy the operating system using a full wipe-and-load process if you wanted to change from Windows 7 Professional to Windows 10 Enterprise.
-
- **Windows 8.1** added support for a Windows 8.1 Pro to Windows 8.1 Enterprise in-place upgrade (considered a “repair upgrade” because the OS version was the same before and after). This was a lot easier than wipe-and-load, but it was still time-consuming.
-
- **Windows 10, version 1507** added the ability to install a new product key using a provisioning package or using MDM to change the SKU. This required a reboot, which would install the new OS components, and took several minutes to complete. However, it was a lot quicker than in-place upgrade.
-
- **Windows 10, version 1607** made a big leap forward. Now you can just change the product key and the SKU instantly changes from Windows 10 Pro to Windows 10 Enterprise. In addition to provisioning packages and MDM, you can just inject a key using SLMGR.VBS (which injects the key into WMI), so it became trivial to do this using a command line.
-
- **Windows 10, version 1703** made this “step-up” from Windows 10 Pro to Windows 10 Enterprise automatic for those that subscribed to Windows 10 Enterprise E3 or E5 via the CSP program.
-
- **Windows 10, version 1709** adds support for Windows 10 Subscription Activation, very similar to the CSP support but for large enterprises, enabling the use of Azure AD for assigning licenses to users. When those users sign in on an AD or Azure AD-joined machine, it automatically steps up from Windows 10 Pro to Windows 10 Enterprise.
-
- **Windows 10, version 1803** updates Windows 10 Subscription Activation to enable pulling activation keys directly from firmware for devices that support firmware-embedded keys. It is no longer necessary to run a script to perform the activation step on Windows 10 Pro prior to activating Enterprise. For virtual machines and hosts running Windows 10, version 1803 [Inherited Activation](#inherited-activation) is also enabled.
-
- **Windows 10, version 1903** updates Windows 10 Subscription Activation to enable step up from Windows 10 Pro Education to Windows 10 Education for those with a qualifying Windows 10 or Microsoft 365 subscription.
+- **Windows 11** updates Subscription Activation to work on both Windows 10 and Windows 11 devices. **Important**: Subscription activation does not update a device from Windows 10 to Windows 11. Only the edition is updated.
## Requirements
-### Windows 10 Enterprise requirements
+### Windows 10/11 Enterprise requirements
> [!NOTE]
-> The following requirements do not apply to general Windows 10 activation on Azure. Azure activation requires a connection to Azure KMS only, and supports workgroup, Hybrid, and Azure AD-joined VMs. In most scenarios, activation of Azure VMs happens automatically. For more information, see [Understanding Azure KMS endpoints for Windows product activation of Azure Virtual Machines](/azure/virtual-machines/troubleshooting/troubleshoot-activation-problems#understanding-azure-kms-endpoints-for-windows-product-activation-of-azure-virtual-machines).
+> The following requirements do not apply to general Windows client activation on Azure. Azure activation requires a connection to Azure KMS only, and supports workgroup, Hybrid, and Azure AD-joined VMs. In most scenarios, activation of Azure VMs happens automatically. For more information, see [Understanding Azure KMS endpoints for Windows product activation of Azure Virtual Machines](/azure/virtual-machines/troubleshooting/troubleshoot-activation-problems#understanding-azure-kms-endpoints-for-windows-product-activation-of-azure-virtual-machines).
-> [!NOTE]
+> [!IMPORTANT]
> Currently, Subscription Activation is only available on commercial tenants and is currently not available on US GCC, GCC High, or DoD tenants.
For Microsoft customers with Enterprise Agreements (EA) or Microsoft Products & Services Agreements (MPSA), you must have the following:
-- Windows 10 (Pro or Enterprise) version 1703 or later installed on the devices to be upgraded.
+- Windows 10 (Pro or Enterprise) version 1703 or later installed on the devices to be upgraded. Windows 11 is considered a "later" version in this context.
- Azure Active Directory (Azure AD) available for identity management.
- Devices must be Azure AD-joined or Hybrid Azure AD joined. Workgroup-joined or Azure AD registered devices are not supported.
-For Microsoft customers that do not have EA or MPSA, you can obtain Windows 10 Enterprise E3/E5 or A3/A5 through a cloud solution provider (CSP). Identity management and device requirements are the same when you use CSP to manage licenses, with the exception that Windows 10 Enterprise E3 is also available through CSP to devices running Windows 10, version 1607. For more information about obtaining Windows 10 Enterprise E3 through your CSP, see [Windows 10 Enterprise E3 in CSP](windows-10-enterprise-e3-overview.md).
+For Microsoft customers that do not have EA or MPSA, you can obtain Windows 10 Enterprise E3/E5 or A3/A5 through a cloud solution provider (CSP). Identity management and device requirements are the same when you use CSP to manage licenses, with the exception that Windows 10/11 Enterprise E3 is also available through CSP to devices running Windows 10, version 1607. For more information about obtaining Windows 10/11 Enterprise E3 through your CSP, see [Windows 10 Enterprise E3 in CSP](windows-10-enterprise-e3-overview.md).
If devices are running Windows 7 or Windows 8.1, see [New Windows 10 upgrade benefits for Windows Cloud Subscriptions in CSP](https://www.microsoft.com/en-us/microsoft-365/blog/2017/01/19/new-windows-10-upgrade-benefits-windows-cloud-subscriptions-csp/)
@@ -123,14 +123,11 @@ If the device is running Windows 10, version 1809 or later:
-### Windows 10 Education requirements
+### Windows 10/11 Education requirements
- Windows 10 Pro Education, version 1903 or later installed on the devices to be upgraded.
-
- A device with a Windows 10 Pro Education digital license. You can confirm this information in **Settings > Update & Security > Activation**.
-
- The Education tenant must have an active subscription to Microsoft 365 with a Windows 10 Enterprise license or a Windows 10 Enterprise or Education subscription.
-
- Devices must be Azure AD-joined or Hybrid Azure AD joined. Workgroup-joined or Azure AD registered devices are not supported.
> [!IMPORTANT]
@@ -139,7 +136,7 @@ If the device is running Windows 10, version 1809 or later:
## Benefits
-With Windows 10 Enterprise or Windows 10 Education, businesses and institutions can benefit from enterprise-level security and control. Previously, only organizations with a Microsoft Volume Licensing Agreement could deploy Windows 10 Education or Windows 10 Enterprise to their users. Now, with Windows 10 Enterprise E3 or A3 and E5 or A5 being available as a true online service, it is available in select channels thus allowing all organizations to take advantage of enterprise-grade Windows 10 features. To compare Windows 10 editions and review pricing, see the following:
+With Windows 10/11 Enterprise or Windows 10/11 Education, businesses and institutions can benefit from enterprise-level security and control. Previously, only organizations with a Microsoft Volume Licensing Agreement could deploy Windows 10/11 Education or Windows 10/11 Enterprise to their users. Now, with Windows 10/11 Enterprise E3 or A3 and E5 or A5 being available as a true online service, it is available in select channels thus allowing all organizations to take advantage of enterprise-grade Windows 10 features. To compare Windows 10 editions and review pricing, see the following:
- [Compare Windows 10 editions](https://www.microsoft.com/windowsforbusiness/compare)
- [Enterprise Mobility + Security Pricing Options](https://www.microsoft.com/cloud-platform/enterprise-mobility-security-pricing)
@@ -158,6 +155,9 @@ You can benefit by moving to Windows as an online service in the following ways:
## How it works
+> [!NOTE]
+> The following Windows 10 examples and scenarios also apply to Windows 11.
+
The device is AAD joined from **Settings > Accounts > Access work or school**.
The IT administrator assigns Windows 10 Enterprise to a user. See the following figure.
@@ -214,8 +214,8 @@ If you’re running Windows 7, it can be more work. A wipe-and-load approach w
The following policies apply to acquisition and renewal of licenses on devices:
- Devices that have been upgraded will attempt to renew licenses about every 30 days, and must be connected to the Internet to successfully acquire or renew a license.
-- If a device is disconnected from the Internet until its current subscription expires, the operating system will revert to Windows 10 Pro or Windows 10 Pro Education. As soon as the device is connected to the Internet again, the license will automatically renew.
-- Up to five devices can be upgraded for each user license. If the user license is used for a sixth device, the operating system on the computer to which a user has not logged in the longest will revert to Windows 10 Pro or Windows 10 Pro Education.
+- If a device is disconnected from the Internet until its current subscription expires, the operating system will revert to Windows 10/11 Pro or Windows 10/11 Pro Education. As soon as the device is connected to the Internet again, the license will automatically renew.
+- Up to five devices can be upgraded for each user license. If the user license is used for a sixth device, the operating system on the computer to which a user has not logged in the longest will revert to Windows 10/11 Pro or Windows 10/11 Pro Education.
- If a device meets the requirements and a licensed user signs in on that device, it will be upgraded.
Licenses can be reallocated from one user to another user, allowing you to optimize your licensing investment against changing needs.
@@ -224,7 +224,7 @@ When you have the required Azure AD subscription, group-based licensing is the p
### Existing Enterprise deployments
-If you are running Windows 10, version 1803 or later, Subscription Activation will automatically pull the firmware-embedded Windows 10 activation key and activate the underlying Pro License. The license will then step-up to Windows 10 Enterprise using Subscription Activation. This automatically migrates your devices from KMS or MAK activated Enterprise to Subscription activated Enterprise.
+If you are running Windows 10, version 1803 or later, Subscription Activation will automatically pull the firmware-embedded Windows 10 activation key and activate the underlying Pro License. The license will then step-up to Windows 10/11 Enterprise using Subscription Activation. This automatically migrates your devices from KMS or MAK activated Enterprise to Subscription activated Enterprise.
> [!CAUTION]
> Firmware-embedded Windows 10 activation happens automatically only when we go through OOBE (Out Of Box Experience).
@@ -273,7 +273,7 @@ See [Deploy Windows 10 Enterprise licenses](deploy-enterprise-licenses.md).
## Virtual Desktop Access (VDA)
-Subscriptions to Windows 10 Enterprise are also available for virtualized clients. Windows 10 Enterprise E3 and E5 are available for Virtual Desktop Access (VDA) in Windows Azure or in another [qualified multitenant hoster](https://microsoft.com/en-us/CloudandHosting/licensing_sca.aspx).
+Subscriptions to Windows 10/11 Enterprise are also available for virtualized clients. Windows 10/11 Enterprise E3 and E5 are available for Virtual Desktop Access (VDA) in Windows Azure or in another [qualified multitenant hoster](https://microsoft.com/en-us/CloudandHosting/licensing_sca.aspx).
Virtual machines (VMs) must be configured to enable Windows 10 Enterprise subscriptions for VDA. Active Directory-joined and Azure Active Directory-joined clients are supported. See [Enable VDA for Subscription Activation](vda-subscription-activation.md).
diff --git a/windows/deployment/windows-adk-scenarios-for-it-pros.md b/windows/deployment/windows-adk-scenarios-for-it-pros.md
index 9c27c2ce11..39d68c7a0e 100644
--- a/windows/deployment/windows-adk-scenarios-for-it-pros.md
+++ b/windows/deployment/windows-adk-scenarios-for-it-pros.md
@@ -71,7 +71,7 @@ Here are some things you can do with Windows SIM:
For a list of settings you can change, see [Unattended Windows Setup Reference](/windows-hardware/customize/desktop/unattend/) on the MSDN Hardware Dev Center.
-### Create a Windows image using Windows ICD
+### Create a provisioning package using Windows ICD
Introduced in Windows 10, [Windows Imaging and Configuration Designer (ICD)](/windows/configuration/provisioning-packages/provisioning-install-icd) streamlines the customizing and provisioning of a Windows 10 for desktop editions (Home, Pro, Enterprise, and Education) or Windows 10 IoT Core (IoT Core) image.
@@ -79,7 +79,6 @@ Here are some things you can do with Windows ICD:
- [Build and apply a provisioning package](/windows/configuration/provisioning-packages/provisioning-create-package)
- [Export a provisioning package](/windows/configuration/provisioning-packages/provisioning-create-package)
-- [Build and deploy an image for Windows 10 for desktop editions](https://msdn.microsoft.com/library/windows/hardware/dn916105.aspx)
### IT Pro Windows deployment tools
@@ -90,4 +89,4 @@ There are also a few tools included in the Windows ADK that are specific to IT P
-
\ No newline at end of file
+
diff --git a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md
index 74e099fc82..b47dd4d0f2 100644
--- a/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md
+++ b/windows/deployment/windows-autopilot/demonstrate-deployment-on-vm.md
@@ -2,7 +2,7 @@
title: Demonstrate Autopilot deployment
ms.reviewer:
manager: laurawi
-description: In this article, find step-by-step instructions on how to set-up a Virtual Machine with a Windows Autopilot deployment.
+description: In this article, find step-by-step instructions on how to set up a Virtual Machine with a Windows Autopilot deployment.
keywords: mdm, setup, windows, windows 10, oobe, manage, deploy, autopilot, ztd, zero-touch, partner, msfb, intune, upgrade
ms.prod: w10
ms.mktglfcycl: deploy
@@ -27,12 +27,12 @@ ms.custom:
To get started with Windows Autopilot, you should try it out with a virtual machine (VM) or you can use a physical device that will be wiped and then have a fresh install of Windows 10.
-In this topic you'll learn how to set-up a Windows Autopilot deployment for a VM using Hyper-V.
+In this topic, you'll learn how to set up a Windows Autopilot deployment for a VM using Hyper-V.
> [!NOTE]
> Although there are [multiple platforms](/mem/autopilot/add-devices#registering-devices) available to enable Autopilot, this lab primarily uses Intune.
->
-> Hyper-V and a VM are not required for this lab. You can also use a physical device. However, the instructions assume that you are using a VM. To use a physical device, skip the instructions to install Hyper-V and create a VM. All references to 'device' in the guide refer to the client device, either physical or virtual.
+>
+> Hyper-V and a VM are not required for this lab. You can use a physical device instead. However, the instructions assume that you're using a VM. To use a physical device, skip the instructions to install Hyper-V and create a VM. All references to 'device' in the guide refer to the client device, either physical or virtual.
The following video provides an overview of the process:
@@ -44,58 +44,59 @@ The following video provides an overview of the process:
## Prerequisites
These are the things you'll need to complete this lab:
-
+
+| | Description |
+|:---|:---|
+|**Windows 10 installation media**|Windows 10 Professional or Enterprise (ISO file) for a supported version of Windows 10, semi-annual channel. If you don't already have an ISO to use, a link is provided to download an evaluation version of Windows 10 Enterprise.|
+|**Internet access**|If you're behind a firewall, see the detailed networking requirements. Otherwise, just ensure that you have a connection to the internet.|
+|**Hyper-V or a physical device running Windows 10**|The guide assumes that you'll use a Hyper-V VM, and provides instructions to install and configure Hyper-V if needed. To use a physical device, skip the steps to install and configure Hyper-V.|
+|**An account with Azure Active Directory (AD) Premium license**|This guide will describe how to obtain a free 30-day trial Azure AD Premium subscription that can be used to complete the lab.|
## Procedures
-A summary of the sections and procedures in the lab is provided below. Follow each section in the order it is presented, skipping the sections that do not apply to you. Optional procedures are provided in the appendix.
+A summary of the sections and procedures in the lab is provided below. Follow each section in the order it's presented, skipping the sections that don't apply to you. Optional procedures are provided in the appendices.
If you already have Hyper-V and a Windows 10 VM, you can skip directly to the [Capture the hardware ID](#capture-the-hardware-id) step. The VM must be running Windows 10, version 1903 or a later version.
-[Verify support for Hyper-V](#verify-support-for-hyper-v)
-Windows 10 installation media Windows 10 Professional or Enterprise (ISO file) for a supported version of Windows 10, semi-annual channel. If you do not already have an ISO to use, a link is provided to download an evaluation version of Windows 10 Enterprise. Internet access If you are behind a firewall, see the detailed networking requirements. Otherwise, just ensure that you have a connection to the Internet. Hyper-V or a physical device running Windows 10 The guide assumes that you will use a Hyper-V VM, and provides instructions to install and configure Hyper-V if needed. To use a physical device, skip the steps to install and configure Hyper-V. An account with Azure AD Premium license This guide will describe how to obtain a free 30-day trial Azure AD Premium subscription that can be used to complete the lab.
[Enable Hyper-V](#enable-hyper-v)
-
[Create a demo VM](#create-a-demo-vm)
-
[Set ISO file location](#set-iso-file-location)
-
[Determine network adapter name](#determine-network-adapter-name)
-
[Use Windows PowerShell to create the demo VM](#use-windows-powershell-to-create-the-demo-vm)
-
[Install Windows 10](#install-windows-10)
-
[Capture the hardware ID](#capture-the-hardware-id)
-
[Reset the VM back to Out-Of-Box-Experience (OOBE)](#reset-the-vm-back-to-out-of-box-experience-oobe)
-
[Verify subscription level](#verify-subscription-level)
-
[Configure company branding](#configure-company-branding)
-
[Configure Microsoft Intune auto-enrollment](#configure-microsoft-intune-auto-enrollment)
-
[Register your VM](#register-your-vm)
-
[Autopilot registration using Intune](#autopilot-registration-using-intune)
-
[Autopilot registration using MSfB](#autopilot-registration-using-msfb)
-
[Create and assign a Windows Autopilot deployment profile](#create-and-assign-a-windows-autopilot-deployment-profile)
-
[Create a Windows Autopilot deployment profile using Intune](#create-a-windows-autopilot-deployment-profile-using-intune)
-
[Create a device group](#create-a-device-group)
-
[Create the deployment profile](#create-the-deployment-profile)
-
[Create a Windows Autopilot deployment profile using MSfB](#create-a-windows-autopilot-deployment-profile-using-msfb)
-
[See Windows Autopilot in action](#see-windows-autopilot-in-action)
-
[Remove devices from Autopilot](#remove-devices-from-autopilot)
-
[Delete (deregister) Autopilot device](#delete-deregister-autopilot-device)
-
[Appendix A: Verify support for Hyper-V](#appendix-a-verify-support-for-hyper-v)
-
[Appendix B: Adding apps to your profile](#appendix-b-adding-apps-to-your-profile)
-
[Add a Win32 app](#add-a-win32-app)
-
[Prepare the app for Intune](#prepare-the-app-for-intune)
-
[Create app in Intune](#create-app-in-intune)
-
[Assign the app to your Intune profile](#assign-the-app-to-your-intune-profile)
-
[Add Office 365](#add-office-365)
-
[Create app in Intune](#create-app-in-intune)
-
[Assign the app to your Intune profile](#assign-the-app-to-your-intune-profile)
-
[Glossary](#glossary)
+- [Verify support for Hyper-V](#verify-support-for-hyper-v)
+- [Enable Hyper-V](#enable-hyper-v)
+- [Create a demo VM](#create-a-demo-vm)
+ - [Set ISO file location](#set-iso-file-location)
+ - [Determine network adapter name](#determine-network-adapter-name)
+ - [Use Windows PowerShell to create the demo VM](#use-windows-powershell-to-create-the-demo-vm)
+ - [Install Windows 10](#install-windows-10)
+- [Capture the hardware ID](#capture-the-hardware-id)
+- [Reset the VM back to Out-Of-Box-Experience (OOBE)](#reset-the-vm-back-to-out-of-box-experience-oobe)
+- [Verify subscription level](#verify-subscription-level)
+- [Configure company branding](#configure-company-branding)
+- [Configure Microsoft Intune auto-enrollment](#configure-microsoft-intune-auto-enrollment)
+- [Register your VM](#register-your-vm)
+ - [Autopilot registration using Intune](#autopilot-registration-using-intune)
+ - [Autopilot registration using MSfB](#autopilot-registration-using-msfb)
+- [Create and assign a Windows Autopilot deployment profile](#create-and-assign-a-windows-autopilot-deployment-profile)
+ - [Create a Windows Autopilot deployment profile using Intune](#create-a-windows-autopilot-deployment-profile-using-intune)
+ - [Create a device group](#create-a-device-group)
+ - [Create the deployment profile](#create-the-deployment-profile)
+ - [Create a Windows Autopilot deployment profile using MSfB](#create-a-windows-autopilot-deployment-profile-using-msfb)
+- [See Windows Autopilot in action](#see-windows-autopilot-in-action)
+- [Remove devices from Autopilot](#remove-devices-from-autopilot)
+ - [Delete (deregister) Autopilot device](#delete-deregister-autopilot-device)
+- [Appendix A: Verify support for Hyper-V](#appendix-a-verify-support-for-hyper-v)
+- [Appendix B: Adding apps to your profile](#appendix-b-adding-apps-to-your-profile)
+ - [Add a Win32 app](#add-a-win32-app)
+ - [Prepare the app for Intune](#prepare-the-app-for-intune)
+ - [Create app in Intune](#create-app-in-intune)
+ - [Assign the app to your Intune profile](#assign-the-app-to-your-intune-profile)
+ - [Add Office 365](#add-office-365)
+ - [Create app in Intune](#create-app-in-intune)
+ - [Assign the app to your Intune profile](#assign-the-app-to-your-intune-profile)
+- [Glossary](#glossary)
## Verify support for Hyper-V
-If you don't already have Hyper-V, we must first enable this on a computer running Windows 10 or Windows Server (2012 R2 or later).
-
-> If you already have Hyper-V enabled, skip to the [create a demo VM](#create-a-demo-vm) step. If you are using a physical device instead of a VM, skip to [Install Windows 10](#install-windows-10).
-
-If you are not sure that your device supports Hyper-V, or you have problems installing Hyper-V, see [appendix A](#appendix-a-verify-support-for-hyper-v) below for details on verifying that Hyper-V can be successfully installed.
+- If you don't already have Hyper-V enabled, enable it on a computer running Windows 10 or Windows Server (2012 R2 or later).
+- If you already have Hyper-V enabled, skip to the [Create a demo VM](#create-a-demo-vm) step. If you're using a physical device instead of a VM, skip to [Install Windows 10](#install-windows-10).
+- If you're not sure that your device supports Hyper-V, or you have problems installing Hyper-V, see [Appendix A](#appendix-a-verify-support-for-hyper-v) in this article for details on verifying that Hyper-V can be successfully installed.
## Enable Hyper-V
@@ -105,13 +106,13 @@ To enable Hyper-V, open an elevated Windows PowerShell prompt and run the follow
Enable-WindowsOptionalFeature -Online -FeatureName Microsoft-Hyper-V -All
```
-This command works on all operating systems that support Hyper-V, but on Windows Server operating systems you must type an additional command (below) to add the Hyper-V Windows PowerShell module and the Hyper-V Manager console. The following command will also install Hyper-V if it isn't already installed, so if you're using Windows Server, you can just type the following command instead of using the Enable-WindowsOptionalFeature command:
+This command works on all operating systems that support Hyper-V. However, on Windows Server operating systems you must type an additional command (below) to add the Hyper-V Windows PowerShell module and the Hyper-V Manager console. The following command will also install Hyper-V if it isn't already installed. So, if you're using Windows Server, you can just type the following command instead of using the **Enable-WindowsOptionalFeature** command:
```powershell
Install-WindowsFeature -Name Hyper-V -IncludeManagementTools
```
-When you are prompted to restart the computer, choose **Yes**. The computer might restart more than once.
+When you're prompted to restart the computer, choose **Yes**. The computer might restart more than once.
Alternatively, you can install Hyper-V using the Control Panel in Windows under **Turn Windows features on or off** for a client operating system, or using Server Manager's **Add Roles and Features Wizard** on a server operating system, as shown below:
@@ -119,7 +120,7 @@ Alternatively, you can install Hyper-V using the Control Panel in Windows under
-
If you have previously enabled Hyper-V and your Internet-connected network interface is already bound to a VM switch, then the PowerShell commands below will fail. In this case, you can either delete the existing VM switch (so that the commands below can create one), or you can reuse this VM switch by skipping the first command below and either modifying the second command to replace the switch name **AutopilotExternal** with the name of your switch, or by renaming your existing switch to "AutopilotExternal."
If you have never created an external VM switch before, then just run the commands below.
If you are not sure if you already have an External VM switch, enter **get-vmswitch** at a Windows PowerShell prompt to display a currently list of the VM switches that are provisioned in Hyper-V. If one of them is of SwitchType **External**, then you already have a VM switch configured on the server that is used to connect to the Internet. In this case, you need to skip the first command below and modify the others to use the name of your VM switch instead of the name "AutopilotExternal" (or change the name of your switch).
+> **VM switch**: a VM switch is how Hyper-V connects VMs to a network.
+>
+>- If you previously enabled Hyper-V and your internet-connected network interface is already bound to a VM switch, then the PowerShell commands below will fail. In this case, you can either delete the existing VM switch (so that the commands below can create one), or you can reuse this VM switch by skipping the first command below and either modifying the second command to replace the switch name **AutopilotExternal** with the name of your switch, or by renaming your existing switch to "AutopilotExternal."
+>- If you have never created an external VM switch before, then just run the commands below.
+>- If you're not sure if you already have an External VM switch, enter **get-vmswitch** at a Windows PowerShell prompt to display a currently list of the VM switches that are provisioned in Hyper-V. If one of them is of SwitchType **External**, then you already have a VM switch configured on the server that's used to connect to the internet. In this case, you need to skip the first command below and modify the others to use the name of your VM switch instead of the name "AutopilotExternal" (or change the name of your switch).
```powershell
New-VMSwitch -Name AutopilotExternal -AllowManagementOS $true -NetAdapterName (Get-NetAdapter |?{$_.Status -eq "Up" -and !$_.Virtual}).Name
@@ -181,11 +186,11 @@ Add-VMDvdDrive -Path c:\iso\win10-eval.iso -VMName WindowsAutopilot
Start-VM -VMName WindowsAutopilot
```
-After entering these commands, connect to the VM that you just created and wait for a prompt to press a key and boot from the DVD. You can connect to the VM by double-clicking it in Hyper-V Manager.
+After you enter these commands, connect to the VM that you just created. Double-click the VM in Hyper-V Manager to connect to it. Then wait for a prompt to press a key and boot from the DVD.
-See the sample output below. In this sample, the VM is created under the **c:\autopilot** directory and the vmconnect.exe command is used (which is only available on Windows Server). If you installed Hyper-V on Windows 10, use Hyper-V Manager to connect to your VM.
+See the sample output below. In this sample, the VM is created under the **c:\autopilot** directory and the **vmconnect.exe** command is used (which is only available on Windows Server). If you installed Hyper-V on Windows 10, use Hyper-V Manager to connect to your VM.
-
+
PS C:\autopilot> dir c:\iso
@@ -228,42 +233,49 @@ PS C:\autopilot>
### Install Windows 10
> [!NOTE]
-> The VM will be booted to gather a hardware ID, then it will be reset. The goal in the next few steps is to get to the desktop quickly so don't worry about how it is configured at this stage. The VM only needs to be connected to the Internet.
+> The VM will be booted to gather a hardware ID. Then it will be reset. The goal in the next few steps is to get to the desktop quickly, so don't worry about how it's configured at this stage. The VM only needs to be connected to the internet.
-Ensure the VM booted from the installation ISO, click **Next** then click **Install now** and complete the Windows installation process. See the following examples:
+Make sure that the VM booted from the installation ISO, select **Next**, select **Install now**, and then complete the Windows installation process. See the following examples:
- 
- 
- 
- 
- 
- 
-After the VM restarts, during OOBE, it's fine to select **Set up for personal use** or **Domain join instead** and then choose an offline account on the **Sign in** screen. This will offer the fastest way to the desktop. For example:
+ 
+
+ 
+
+ 
+
+ 
+
+ 
+
+ 
+
+
+After the VM restarts, during OOBE, it's fine to select **Set up for personal use** or **Domain join instead** and then choose an offline account on the **Sign in** screen. This offers the fastest way to the desktop. For example:
-Once the installation is complete, sign in and verify that you are at the Windows 10 desktop, then create your first Hyper-V checkpoint. Checkpoints are used to restore the VM to a previous state.
+Once the installation is complete, sign in and verify that you're at the Windows 10 desktop. Then create your first Hyper-V checkpoint. Checkpoints are used to restore the VM to a previous state.
> [!div class="mx-imgBorder"]
> 
-To create a checkpoint, open an elevated Windows PowerShell prompt on the computer running Hyper-V (not on the VM) and run the following:
+To create a checkpoint, open an elevated Windows PowerShell prompt on the computer running Hyper-V (not on the VM), and then run the following:
```powershell
Checkpoint-VM -Name WindowsAutopilot -SnapshotName "Finished Windows install"
```
-Click on the **WindowsAutopilot** VM in Hyper-V Manager and verify that you see **Finished Windows Install** listed in the Checkpoints pane.
+Select the **WindowsAutopilot** VM in Hyper-V Manager and verify that you see **Finished Windows Install** listed in the Checkpoints pane.
## Capture the hardware ID
> [!NOTE]
-> Normally, the Device ID is captured by the OEM as they run the OA3 Tool on each device in the factory. The OEM then submits the 4K HH created by the OA3 Tool to Microsoft by submitting it with a Computer Build Report (CBR). For purposes of this lab, you are acting as the OEM (capturing the 4K HH), but you're not going to use the OA3 Tool to capture the full 4K HH for various reasons (you'd have to install the OA3 tool, your device couldn't have a volume license version of Windows, it's a more complicated process than using a PowerShell script, etc.). Instead, you'll simulate running the OA3 tool by running a PowerShell script, which captures the device 4K HH just like the OA3 tool.
+> Normally, the Device ID is captured by the OEM as they run the OA3 Tool on each device in the factory. The OEM then submits the 4K HH created by the OA3 Tool to Microsoft by submitting it with a Computer Build Report (CBR). For the purposes of this lab, you're acting as the OEM (capturing the 4K HH), but you're not going to use the OA3 Tool to capture the full 4K HH for various reasons (you'd have to install the OA3 tool, your device couldn't have a volume license version of Windows, it's a more complicated process than using a PowerShell script, etc.). Instead, you'll simulate running the OA3 tool by running a PowerShell script, which captures the device 4K HH just like the OA3 tool.
Follow these steps to run the PowerShell script:
-1. **On the client VM**: Open an elevated Windows PowerShell prompt and run the following commands. These commands are the same regardless of whether you are using a VM or a physical device:
+1. **On the client VM**: Open an elevated Windows PowerShell prompt and run the following commands. These commands are the same whether you're using a VM or a physical device:
```powershell
md c:\HWID
@@ -274,7 +286,7 @@ Follow these steps to run the PowerShell script:
Get-WindowsAutopilotInfo.ps1 -OutputFile AutopilotHWID.csv
```
-1. When you are prompted to install the NuGet package, choose **Yes**.
+1. When you're prompted to install the NuGet package, choose **Yes**.
See the sample output below. A **dir** command is issued at the end to show the file that was created.
@@ -317,26 +329,26 @@ Follow these steps to run the PowerShell script:
PS C:\HWID>
```
-1. Verify that there is an **AutopilotHWID.csv** file in the **c:\HWID** directory that is about 8 KB in size. This file contains the complete 4K HH.
+1. Verify that there's an **AutopilotHWID.csv** file in the **c:\HWID** directory that's about 8 KB in size. This file contains the complete 4K HH.
> [!NOTE]
- > Although the .csv extension might be associated with Microsoft Excel, you cannot view the file properly by double-clicking it. To correctly parse the comma delimiters and view the file in Excel, you must use the **Data** > **From Text/CSV** function in Excel to import the appropriate data columns. You don't need to view the file in Excel unless you are curious. The file format will be validated when it is imported into Autopilot. An example of the data in this file is shown below.
+ > Although the .csv extension might be associated with Microsoft Excel, you cannot view the file properly by double-clicking it. To correctly parse the comma delimiters and view the file in Excel, you must use the **Data** > **From Text/CSV** function in Excel to import the appropriate data columns. You don't need to view the file in Excel unless you're curious. The file format is validated when it's imported into Autopilot. Here's an example of the data in this file:
- You will need to upload this data into Intune to register your device for Autopilot, so the next step is to transfer this file to the computer you will use to access the Azure portal. If you are using a physical device instead of a VM, you can copy the file to a USB stick. If you’re using a VM, you can right-click the AutopilotHWID.csv file and copy it, then right-click and paste the file to your desktop (outside the VM).
+ You'll need to upload this data into Intune to register your device for Autopilot. So, the next step is to transfer this file to the computer you'll use to access the Azure portal. If you're using a physical device instead of a VM, you can copy the file to a USB drive. If you’re using a VM, you can right-click the **AutopilotHWID.csv** file and copy it. Then right-click and paste the file to your desktop (outside the VM).
- If you have trouble copying and pasting the file, just view the contents in Notepad on the VM and copy the text into Notepad outside the VM. Do not use another text editor to do this.
+ If you have trouble copying and pasting the file, just view the contents in Notepad on the VM, and then copy the text into Notepad outside the VM. Don't use another text editor to do this.
> [!NOTE]
- > When copying and pasting to or from VMs, avoid clicking other things with your mouse cursor between the copy and paste process as this can empty or overwrite the clipboard and require that you start over. Go directly from copy to paste.
+ > When copying and pasting to or from VMs, avoid selecting other things with your mouse cursor in between the copy and paste process. Doing so can empty or overwrite the clipboard and require that you start over. Go directly from copy to paste.
## Reset the VM back to Out-Of-Box-Experience (OOBE)
With the hardware ID captured in a file, prepare your Virtual Machine for Windows Autopilot deployment by resetting it back to OOBE.
-On the Virtual Machine, go to **Settings > Update & Security > Recovery** and click on **Get started** under **Reset this PC**.
-Select **Remove everything** and **Just remove my files**. If you are asked **How would you like to reinstall Windows**, select Local reinstall. Finally, click on **Reset**.
+On the Virtual Machine, go to **Settings > Update & Security > Recovery** and select **Get started** under **Reset this PC**.
+Select **Remove everything** and **Just remove my files**. If you're asked **How would you like to reinstall Windows**, select Local reinstall. Finally, select **Reset**.
@@ -346,47 +358,47 @@ Resetting the VM or device can take a while. Proceed to the next step (verify su
## Verify subscription level
-For this lab, you need an AAD Premium subscription. You can tell if you have a Premium subscription by navigating to the [MDM enrollment configuration](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Mobility) blade. See the following example:
+For this lab, you need an Azure AD Premium subscription. To tell if you have a Premium subscription, go to the [MDM enrollment configuration](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Mobility) blade. See the following example:
**Azure Active Directory** > **Mobility (MDM and MAM)** > **Microsoft Intune**
-If the configuration blade shown above does not appear, it's likely that you don't have a **Premium** subscription. Auto-enrollment is a feature only available in AAD Premium.
+If the configuration blade shown above doesn't appear, it's likely that you don't have a **Premium** subscription. Auto-enrollment is a feature only available in Azure AD Premium.
-To convert your Intune trial account to a free Premium trial account, navigate to **Azure Active Directory** > **Licenses** > **All products** > **Try / Buy** and select **Free trial** for Azure AD Premium, or EMS E5.
+To convert your Intune trial account to a free Premium trial account, go to **Azure Active Directory** > **Licenses** > **All products** > **Try / Buy** and select **Free trial** for Azure AD Premium, or EMS E5.
## Configure company branding
-If you already have company branding configured in Azure Active Directory, you can skip this step.
+If you already have company branding configured in Azure AD, you can skip this step.
> [!IMPORTANT]
> Make sure to sign-in with a Global Administrator account.
-Navigate to [Company branding in Azure Active Directory](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/LoginTenantBranding), click on **Configure** and configure any type of company branding you'd like to see during the OOBE.
+Go to [Company branding in Azure Active Directory](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/LoginTenantBranding), select **Configure**, and then configure any type of company branding you'd like to see during the OOBE.
-When you are finished, click **Save**.
+When you're finished, select **Save**.
> [!NOTE]
> Changes to company branding can take up to 30 minutes to apply.
## Configure Microsoft Intune auto-enrollment
-If you already have MDM auto-enrollment configured in Azure Active Directory, you can skip this step.
+If you already have MDM auto-enrollment configured in Azure AD, you can skip this step.
-Open [Mobility (MDM and MAM) in Azure Active Directory](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Mobility) and select **Microsoft Intune**. If you do not see Microsoft Intune, click **Add application** and choose **Intune**.
+Open [Mobility (MDM and MAM) in Azure Active Directory](https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Mobility) and select **Microsoft Intune**. If you don't see Microsoft Intune, select **Add application** and choose **Intune**.
-For the purposes of this demo, select **All** under the **MDM user scope** and click **Save**.
+For the purposes of this demo, select **All** under the **MDM user scope** and select **Save**.
## Register your VM
-Your VM (or device) can be registered either via Intune or Microsoft Store for Business (MSfB). Both processes are shown here, but only pick one for purposes of this lab. We highly recommend using Intune rather than MSfB.
+Your VM (or device) can be registered either via Intune or Microsoft Store for Business (MSfB). Both processes are shown here, but *only pick one* for the purposes of this lab. It's highly recommended that you use Intune rather than MSfB.
### Autopilot registration using Intune
@@ -395,17 +407,17 @@ Your VM (or device) can be registered either via Intune or Microsoft Store for B
> [!NOTE]
- > If menu items like **Windows enrollment** are not active for you, then look to the far-right blade in the UI. You might need to provide Intune configuration privileges in a challenge window that appeared.
+ > If menu items like **Windows enrollment** aren't active for you, look to the far-right blade in the UI. You might need to provide Intune configuration privileges in a challenge window that appears.
-2. Under **Add Windows Autopilot devices** in the far right pane, browse to the **AutopilotHWID.csv** file you previously copied to your local computer. The file should contain the serial number and 4K HH of your VM (or device). It's okay if other fields (Windows Product ID) are left blank.
+2. Under **Add Windows Autopilot devices** in the far-right pane, go to the **AutopilotHWID.csv** file you previously copied to your local computer. The file should contain the serial number and 4K HH of your VM (or device). It's okay if other fields (Windows Product ID) are left blank.
- You should receive confirmation that the file is formatted correctly before uploading it, as shown above.
+ You should receive confirmation that the file is formatted correctly before you upload it, as shown above.
-3. Click **Import** and wait until the import process completes. This can take up to 15 minutes.
+3. Select **Import** and wait until the import process completes. This can take up to 15 minutes.
-4. Click **Refresh** to verify your VM or device has been added. See the following example.
+4. Select **Refresh** to verify your VM or device is added. See the following example.
@@ -420,22 +432,22 @@ Optional: see the following video for an overview of the process.
> [!video https://www.youtube.com/embed/IpLIZU_j7Z0]
-First, you need a MSfB account. You can use the same one you created above for Intune, or follow [these instructions](/microsoft-store/windows-store-for-business-overview) to create a new one.
+First, you need a MSfB account. You can use the same one you created above for Intune, or follow [these instructions](/microsoft-store/windows-store-for-business-overview) to create a new one.
-Next, sign in to [Microsoft Store for Business](https://businessstore.microsoft.com/en-us/store) using your test account by clicking **Sign in** on the upper-right-corner of the main page.
+Next, to sign in to [Microsoft Store for Business](https://businessstore.microsoft.com/en-us/store) with your test account, select **Sign in** on the upper-right-corner of the main page.
-Select **Manage** from the top menu, then click the **Windows Autopilot Deployment Program** link under the **Devices** card. See the following example:
+Select **Manage** from the top menu, then select the **Windows Autopilot Deployment Program** link under the **Devices** card. See the following example:
-Click the **Add devices** link to upload your CSV file. A message will appear indicating your request is being processed. Wait a few moments before refreshing to see your new device has been added.
+Select the **Add devices** link to upload your CSV file. A message appears that indicates your request is being processed. Wait a few moments before refreshing to see that your new device is added.
## Create and assign a Windows Autopilot deployment profile
> [!IMPORTANT]
-> Autopilot profiles can be created and assigned to your registered VM or device either through Intune or MSfB. Both processes are shown here, but only pick one for purposes of this lab:
+> Autopilot profiles can be created and assigned to your registered VM or device either through Intune or MSfB. Both processes are shown here, but only *pick one for the purposes of this lab*:
Pick one:
- [Create profiles using Intune](#create-a-windows-autopilot-deployment-profile-using-intune)
@@ -444,13 +456,13 @@ Pick one:
### Create a Windows Autopilot deployment profile using Intune
> [!NOTE]
-> Even if you registered your device in MSfB, it will still appear in Intune, though you might have to **sync** and then **refresh** your device list.
+> Even if you registered your device in MSfB, it still appears in Intune. Although, you might have to **sync** and then **refresh** your device list.
#### Create a device group
-The Autopilot deployment profile wizard will ask for a device group, so we must create one first. To create a device group:
+The Autopilot deployment profile wizard asks for a device group, so you must create one first. To create a device group:
1. In the [Microsoft Endpoint Manager admin center](https://go.microsoft.com/fwlink/?linkid=2109431), choose **Groups** > **New group**.
@@ -460,21 +472,21 @@ The Autopilot deployment profile wizard will ask for a device group, so we must
3. Azure AD roles can be assigned to the group: **No**
4. For **Membership type**, choose **Assigned**.
-3. Click **Members** and add the Autopilot VM to the group. See the following example:
+3. Select **Members** and add the Autopilot VM to the group. See the following example:
> [!div class="mx-imgBorder"]
> 
-4. Click **Create**.
+4. Select **Create**.
#### Create the deployment profile
-To create a Windows Autopilot profile, scroll back to the left hand pane and click **Devices**, then under **Enroll devices | Windows enrollment** select **Deployment Profiles**.
+To create a Windows Autopilot profile, scroll back to the left-side pane and select **Devices**. Then, under **Enroll devices | Windows enrollment** select **Deployment Profiles**.
> [!div class="mx-imgBorder"]
> 
-Click on **Create profile** and then select **Windows PC**.
+Select **Create profile** and then select **Windows PC**.
> [!div class="mx-imgBorder"]
> 
@@ -487,7 +499,7 @@ On the **Create profile** blade, use the following values:
| Description | Lab |
| Convert all targeted devices to Autopilot | No |
-Click **Next** to continue with the **Out-of-box experience (OOBE)** settings:
+Select **Next** to continue with the **Out-of-box experience (OOBE)** settings:
| Setting | Value |
|---|---|
@@ -502,36 +514,36 @@ Click **Next** to continue with the **Out-of-box experience (OOBE)** settings:
| Automatically configure keyboard | Yes |
| Apply device name template | No |
-Click **Next** to continue with the **Assignments** settings:
+Select **Next** to continue with the **Assignments** settings:
| Setting | Value |
|---|---|
| Assign to | Selected groups |
-1. Click **Select groups to include**.
-2. Click the **Autopilot Lab** group, and then click **Select**.
-3. Click **Next** to continue and then click **Create**. See the following example:
+1. Select **Select groups to include**.
+2. Select the **Autopilot Lab** group, and then choose **Select**.
+3. Select **Next** to continue, and then select **Create**. See the following example:
-Click on **OK** and then click on **Create**.
+Select **OK**, and then select **Create**.
> [!NOTE]
-> If you want to add an app to your profile via Intune, the OPTIONAL steps for doing so can be found in [Appendix B: Adding apps to your profile](#appendix-b-adding-apps-to-your-profile).
+> If you want to add an app to your profile via Intune, use the *optional* steps in [Appendix B: Adding apps to your profile](#appendix-b-adding-apps-to-your-profile).
### Create a Windows Autopilot deployment profile using MSfB
-If you have already created and assigned a profile via Intune by using the steps immediately above, then skip this section.
+If you already created and assigned a profile via Intune with the steps immediately above, then skip this section.
A [video](https://www.youtube.com/watch?v=IpLIZU_j7Z0) is available that covers the steps required to create and assign profiles in MSfB. These steps are also summarized below.
First, sign in to the [Microsoft Store for Business](https://businessstore.microsoft.com/manage/dashboard) using the Intune account you initially created for this lab.
-Click **Manage** from the top menu, then click **Devices** from the left navigation tree.
+Select **Manage** from the top menu, then select **Devices** from the left navigation tree.
-Click the **Windows Autopilot Deployment Program** link in the **Devices** tile.
+Select the **Windows Autopilot Deployment Program** link in the **Devices** tile.
To CREATE the profile:
@@ -545,7 +557,7 @@ On the Autopilot deployment dropdown menu, select **Create new profile**:
> [!div class="mx-imgBorder"]
> 
-Name the profile, choose your desired settings, and then click **Create**:
+Name the profile, choose your desired settings, and then select **Create**:
> [!div class="mx-imgBorder"]
> 
@@ -554,83 +566,83 @@ The new profile is added to the Autopilot deployment list.
To ASSIGN the profile:
-To assign (or reassign) the profile to a device, select the checkboxes next to the device you registered for this lab, then select the profile you want to assign from the **Autopilot deployment** dropdown menu as shown:
+To assign (or reassign) the profile to a device, select the checkboxes next to the device you registered for this lab. Then, select the profile you want to assign from the **Autopilot deployment** dropdown menu, as shown:
> [!div class="mx-imgBorder"]
> 
-Confirm the profile was successfully assigned to the intended device by checking the contents of the **Profile** column:
+To confirm the profile was successfully assigned to the intended device, check the contents of the **Profile** column:
> [!div class="mx-imgBorder"]
> 
> [!IMPORTANT]
-> The new profile will only be applied if the device has not been started, and gone through OOBE. Settings from a different profile can't be applied when another profile has been applied. Windows would need to be reinstalled on the device for the second profile to be applied to the device.
+> The new profile is only applied if the device hasn't started and gone through OOBE. Settings from a different profile can't be applied when another profile has been applied. Windows would need to be reinstalled on the device for the second profile to be applied to the device.
## See Windows Autopilot in action
-If you shut down your VM after the last reset, it's time to start it back up again, so it can progress through the Autopilot OOBE experience but do not attempt to start your device again until the **PROFILE STATUS** for your device in Intune has changed from **Not assigned** to **Assigning** and finally **Assigned**:
+If you shut down your VM after the last reset, it's time to start it back up again so it can progress through the Autopilot OOBE experience. However, don't attempt to start your device again until the **PROFILE STATUS** for your device in Intune is changed from **Not assigned** to **Assigning**, and finally to **Assigned**:
> [!div class="mx-imgBorder"]
> 
-Also, make sure to wait at least 30 minutes from the time you've [configured company branding](#configure-company-branding), otherwise these changes might not show up.
+Also, make sure to wait at least 30 minutes from the time you've [configured company branding](#configure-company-branding). Otherwise, these changes might not show up.
> [!TIP]
-> If you reset your device previously after collecting the 4K HH info, and then let it restart back to the first OOBE screen, then you might need to restart the device again to ensure the device is recognized as an Autopilot device and displays the Autopilot OOBE experience you're expecting. If you do not see the Autopilot OOBE experience, then reset the device again (Settings > Update & Security > Recovery and click on Get started. Under Reset this PC, select Remove everything and Just remove my files. Click on Reset).
+> If you reset your device previously, after collecting the 4K HH info, let it restart back to the first OOBE screen. Then you might need to restart the device again to make sure the device is recognized as an Autopilot device and displays the Autopilot OOBE experience you're expecting. If you don't see the Autopilot OOBE experience, then reset the device again (**Settings** > **Update & Security** > **Recovery** and select **Get started**. Under **Reset this PC**, select **Remove everything and Just remove my files**. Select **Reset**).
-- Ensure your device has an internet connection.
-- Turn on the device
-- Verify that the appropriate OOBE screens (with appropriate Company Branding) appear. You should see the region selection screen, the keyboard selection screen, and the second keyboard selection screen (which you can skip).
+1. Make sure your device has an internet connection.
+1. Turn on the device.
+1. Verify that the appropriate OOBE screens (with appropriate Company Branding) appear. You should see the region selection screen, the keyboard selection screen, and the second keyboard selection screen (which you can skip).
-Soon after reaching the desktop, the device should show up in Intune as an **enabled** Autopilot device. Go into the Intune Azure portal, and select **Devices > All devices**, then **Refresh** the data to verify that your device has changed from disabled to enabled, and the name of the device is updated.
+Soon after reaching the desktop, the device should show up in Intune as an **enabled** Autopilot device. Go into the Intune Azure portal, and select **Devices > All devices**. Then, **Refresh** the data to verify that your device has changed from disabled to enabled, and the name of the device is updated.
> [!div class="mx-imgBorder"]
> 
-Once you select a language and a keyboard layout, your company branded sign-in screen should appear. Provide your Azure Active Directory credentials and you're all done.
+Once you select a language and a keyboard layout, your company branded sign-in screen should appear. Provide your Azure AD credentials. Then you're all done.
> [!TIP]
-> If you receive a message that "Something went wrong" and it "Looks like we can't connect to the URL for your organization's MDM terms of use", verify that you have correctly [assigned licenses](/mem/intune/fundamentals/licenses-assign) to the current user.
+> If you receive a message that "Something went wrong" and it "Looks like we can't connect to the URL for your organization's MDM terms of use", verify that you correctly [assigned licenses](/mem/intune/fundamentals/licenses-assign) to the current user.
-Windows Autopilot will now take over to automatically join your device into Azure Active Directory and enroll it to Microsoft Intune. Use the checkpoint you've created to go through this process again with different settings.
+Windows Autopilot takes over to automatically join your device into Azure AD and enroll it into Microsoft Intune. Use the checkpoint you've created to go through this process again with different settings.
## Remove devices from Autopilot
-To use the device (or VM) for other purposes after completion of this lab, you will need to remove (deregister) it from Autopilot via either Intune or MSfB, and then reset it. Instructions for deregistering devices can be found at [Enroll Windows devices in Intune by using Windows Autopilot](/intune/enrollment-autopilot#create-an-autopilot-device-group) and [Remove devices by using wipe, retire, or manually unenrolling the device](/intune/devices-wipe#delete-devices-from-the-azure-active-directory-portal) and below.
+To use the device (or VM) for other purposes after completion of this lab, you need to remove (deregister) it from Autopilot via either Intune or MSfB, and then reset it. Instructions for deregistering devices can be found at [Enroll Windows devices in Intune by using Windows Autopilot](/intune/enrollment-autopilot#create-an-autopilot-device-group), [Remove devices by using wipe, retire, or manually unenrolling the device](/intune/devices-wipe#delete-devices-from-the-azure-active-directory-portal), and below.
### Delete (deregister) Autopilot device
-You need to delete (or retire, or factory reset) the device from Intune before deregistering the device from Autopilot. To delete the device from Intune (not Azure Active Directory), log into the MEM admin center, then navigate to **Intune > Devices > All Devices**. Select the device you want to delete, then click the Delete button along the top menu.
+You need to delete (or retire, or factory reset) the device from Intune before deregistering the device from Autopilot. To delete the device from Intune (not Azure AD), log into the MEM admin center, then go to **Intune > Devices > All Devices**. Select the device you want to delete, then select the **Delete** button along the top menu.
> [!div class="mx-imgBorder"]
> 
-This will remove the device from Intune management, and it will disappear from **Intune > Devices > All devices**. But this does not yet deregister the device from Autopilot, so the device should still appear under **Intune > Device Enrollment > Windows Enrollment > Windows Autopilot Deployment Program > Devices**.
+This action removes the device from Intune management, and it will disappear from **Intune > Devices > All devices**. But this doesn't yet deregister the device from Autopilot. So, the device should still appear under **Intune > Device Enrollment > Windows Enrollment > Windows Autopilot Deployment Program > Devices**.
-The **Intune > Devices > All Devices** list and the **Intune > Device Enrollment > Windows Enrollment > Windows Autopilot Deployment Program > Devices** list mean different things and are two completely separate datastores. The former (All devices) is the list of devices currently enrolled into Intune.
+The **Intune > Devices > All Devices** list and the **Intune > Device Enrollment > Windows Enrollment > Windows Autopilot Deployment Program > Devices** list mean different things and are two completely separate datastores. The former (All devices) is the list of devices currently enrolled into Intune.
> [!NOTE]
-> A device will only appear in the All devices list once it has booted. The latter (**Windows Autopilot Deployment Program** > **Devices**) is the list of devices currently registered from that Intune account into the Autopilot program - which may or may not be enrolled to Intune.
+> A device only appears in the **All devices** list once it has booted. The latter (**Windows Autopilot Deployment Program** > **Devices**) is the list of devices currently registered from that Intune account into the Autopilot program - which may or may not be enrolled to Intune.
-To remove the device from the Autopilot program, select the device and click **Delete**. You will get a popup dialog box to confirm deletion.
+To remove the device from the Autopilot program, select the device, and then select **Delete**. A pop-up dialog box appears to confirm deletion.
> [!div class="mx-imgBorder"]
> 
-At this point, your device has been unenrolled from Intune and also deregistered from Autopilot. After several minutes, click the **Sync** button, followed by the **Refresh** button to confirm the device is no longer listed in the Autopilot program:
+At this point, your device is unenrolled from Intune and also deregistered from Autopilot. After several minutes, select the **Sync** button, followed by the **Refresh** button to confirm the device is no longer listed in the Autopilot program.
-Once the device no longer appears, you are free to reuse it for other purposes.
+Once the device no longer appears, you're free to reuse it for other purposes.
-If you also (optionally) want to remove your device from AAD, navigate to **Azure Active Directory > Devices > All Devices**, select your device, and click the delete button:
+If you also (optionally) want to remove your device from Azure AD, go to **Azure Active Directory > Devices > All Devices**, select your device, and then select the **Delete** button:
## Appendix A: Verify support for Hyper-V
Starting with Windows 8, the host computer's microprocessor must support second level address translation (SLAT) to install Hyper-V. See [Hyper-V: List of SLAT-Capable CPUs for Hosts](https://social.technet.microsoft.com/wiki/contents/articles/1401.hyper-v-list-of-slat-capable-cpus-for-hosts.aspx) for more information.
-To verify your computer supports SLAT, open an administrator command prompt, type **systeminfo**, press ENTER, scroll down, and review the section displayed at the bottom of the output, next to Hyper-V Requirements. See the following example:
+To verify your computer supports SLAT, open an administrator command prompt, type **systeminfo**, press **ENTER**, scroll down, and review the section displayed at the bottom of the output, next to Hyper-V Requirements. See the following example:
```console
C:>systeminfo
@@ -645,7 +657,7 @@ Hyper-V Requirements: VM Monitor Mode Extensions: Yes
In this example, the computer supports SLAT and Hyper-V.
> [!NOTE]
-> If one or more requirements are evaluated as **No** then the computer does not support installing Hyper-V. However, if only the virtualization setting is incompatible, you might be able to enable virtualization in the BIOS and change the **Virtualization Enabled In Firmware** setting from **No** to **Yes**. The location of this setting will depend on the manufacturer and BIOS version, but is typically found associated with the BIOS security settings.
+> If one or more requirements are evaluated as **No** then the computer doesn't support installing Hyper-V. However, if only the virtualization setting is incompatible, you might be able to enable virtualization in the BIOS and change the **Virtualization Enabled In Firmware** setting from **No** to **Yes**. The location of this setting depends on the manufacturer and BIOS version, but is typically found associated with the BIOS security settings.
You can also identify Hyper-V support using [tools](/archive/blogs/taylorb/hyper-v-will-my-computer-run-hyper-v-detecting-intel-vt-and-amd-v) provided by the processor manufacturer, the [msinfo32](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/cc731397(v=ws.11)) tool, or you can download the [Coreinfo](/sysinternals/downloads/coreinfo) utility and run it, as shown in the following example:
@@ -673,28 +685,28 @@ EPT * Supports Intel extended page tables (SLAT)
#### Prepare the app for Intune
-Before we can pull an application into Intune to make it part of our AP profile, we need to "package" the application for delivery using the [IntuneWinAppUtil.exe command-line tool](https://github.com/Microsoft/Microsoft-Win32-Content-Prep-Tool). After downloading the tool, gather the following three bits of information to use the tool:
+Before you can pull an application into Intune to make it part of your AP profile, you need to "package" the application for delivery using the [IntuneWinAppUtil.exe command-line tool](https://github.com/Microsoft/Microsoft-Win32-Content-Prep-Tool). After downloading the tool, gather the following three bits of information to use the tool:
1. The source folder for your application
2. The name of the setup executable file
3. The output folder for the new file
-For the purposes of this lab, we'll use the Notepad++ tool as our Win32 app.
+For the purposes of this lab, we'll use the Notepad++ tool as the Win32 app.
-Download the Notepad++ msi package [here](https://www.hass.de/content/notepad-msi-package-enterprise-deployment-available) and then copy the file to a known location, such as C:\Notepad++msi.
+Download the [Notepad++ msi package](https://www.hass.de/content/notepad-msi-package-enterprise-deployment-available), and then copy the file to a known location, such as C:\Notepad++msi.
Run the IntuneWinAppUtil tool, supplying answers to the three questions, for example:
> [!div class="mx-imgBorder"]
> 
-After the tool finishes running, you should have an .intunewin file in the Output folder, which you can now upload into Intune using the following steps.
+After the tool finishes running, you should have an .intunewin file in the Output folder. You can upload the file into Intune by using the following steps.
#### Create app in Intune
-Log into the Azure portal and select **Intune**.
+Log in to the Azure portal, and then select **Intune**.
-Navigate to **Intune > Clients apps > Apps**, and then click the **Add** button to create a new app package.
+Go to **Intune > Clients apps > Apps**, and then select the **Add** button to create a new app package.
@@ -702,7 +714,7 @@ Under **App Type**, select **Windows app (Win32)**:
-On the **App package file** blade, browse to the **npp.7.6.3.installer.x64.intunewin** file in your output folder, open it, then click **OK**:
+On the **App package file** blade, browse to the **npp.7.6.3.installer.x64.intunewin** file in your output folder, open it, then select **OK**:
> [!div class="mx-imgBorder"]
> 
@@ -719,47 +731,47 @@ Uninstall: msiexec /x "{F188A506-C3C6-4411-BE3A-DA5BF1EA6737}" /q
```
> [!NOTE]
-> Likely, you do not have to write the install and uninstall commands yourself because the [IntuneWinAppUtil.exe command-line tool](https://github.com/Microsoft/Microsoft-Win32-Content-Prep-Tool) automatically generated them when it converted the .msi file into a .intunewin file.
+> Likely, you don't have to write the install and uninstall commands yourself because the [IntuneWinAppUtil.exe command-line tool](https://github.com/Microsoft/Microsoft-Win32-Content-Prep-Tool) automatically generated them when it converted the .msi file into a .intunewin file.
-Simply using an install command like "notepad++.exe /S" will not actually install Notepad++; it will only launch the app. To actually install the program, we need to use the .msi file instead. Notepad++ doesn't actually have an .msi version of their program, but we got an .msi version from a [third party provider](https://www.hass.de/content/notepad-msi-package-enterprise-deployment-available).
+Simply using an install command like "notepad++.exe /S" doesn't actually install Notepad++; it only launches the app. To install the program, you need to use the .msi file instead. Notepad++ doesn't have a .msi version of their program, but there's a .msi version from a [third party provider](https://www.hass.de/content/notepad-msi-package-enterprise-deployment-available).
-Click **OK** to save your input and activate the **Requirements** blade.
+Select **OK** to save your input and activate the **Requirements** blade.
On the **Requirements Configuration** blade, specify the **OS architecture** and the **Minimum OS version**:
> [!div class="mx-imgBorder"]
> 
-Next, configure the **Detection rules**. For our purposes, we will select manual format:
+Next, configure the **Detection rules**. For the purposes of this lab, select manual format:
> [!div class="mx-imgBorder"]
> 
-Click **Add** to define the rule properties. For **Rule type**, select **MSI**, which will automatically import the right MSI product code into the rule:
+Select **Add** to define the rule properties. For **Rule type**, select **MSI**, which automatically imports the correct MSI product code into the rule:
-Click **OK** twice to save, as you back out to the main **Add app** blade again for the final configuration.
+Select **OK** twice to save, as you back out to the main **Add app** blade again for the final configuration.
-**Return codes**: For our purposes, leave the return codes at their default values:
+**Return codes**: For the purposes of this lab, leave the return codes at their default values:
> [!div class="mx-imgBorder"]
> 
-Click **OK** to exit.
+Select **OK** to exit.
-You may skip configuring the final **Scope (Tags)** blade.
+You can skip configuring the final **Scope (Tags)** blade.
-Click the **Add** button to finalize and save your app package.
+Select the **Add** button to finalize and save your app package.
-Once the indicator message says the addition has completed.
+Wait for indicator message that says the addition has completed.
> [!div class="mx-imgBorder"]
> 
-You will be able to find your app in your app list:
+Find your app in your app list:
> [!div class="mx-imgBorder"]
> 
@@ -767,16 +779,16 @@ You will be able to find your app in your app list:
#### Assign the app to your Intune profile
> [!NOTE]
-> The following steps only work if you previously [created a GROUP in Intune and assigned a profile to it](#create-a-device-group). If you have not done that, please return to the main part of the lab and complete those steps before returning here.
+> The following steps only work if you previously [created a GROUP in Intune and assigned a profile to it](#create-a-device-group). If you haven't done that, return to the main part of the lab and complete those steps before returning here.
-In the **Intune > Client Apps > Apps** pane, select the app package you already created to reveal its properties blade. Then click **Assignments** from the menu:
+In the **Intune > Client Apps > Apps** pane, select the app package you already created to reveal its properties blade. Then select **Assignments** from the menu:
> [!div class="mx-imgBorder"]
> 
-Select **Add Group** to open the **Add group** pane that is related to the app.
+Select **Add Group** to open the **Add group** pane that's related to the app.
-For our purposes, select **Required** from the **Assignment type** dropdown menu.
+For the purposes of this lab, select **Required** from the **Assignment type** dropdown menu.
> [!NOTE]
> **Available for enrolled devices** means users install the app from the Company Portal app or Company Portal website.
@@ -788,7 +800,7 @@ Select **Included Groups** and assign the groups you previously created that wil
> [!div class="mx-imgBorder"]
> 
-In the **Select groups** pane, click the **Select** button.
+In the **Select groups** pane, choose the **Select** button.
In the **Assign group** pane, select **OK**.
@@ -807,9 +819,9 @@ For more information on adding apps to Intune, see [Intune Standalone - Win32 ap
#### Create app in Intune
-Log into the Azure portal and select **Intune**.
+Log in to the Azure portal and select **Intune**.
-Navigate to **Intune > Clients apps > Apps**, and then click the **Add** button to create a new app package.
+Go to **Intune > Clients apps > Apps**, and then select the **Add** button to create a new app package.
@@ -817,41 +829,41 @@ Under **App Type**, select **Office 365 Suite > Windows 10**:
-Under the **Configure App Suite** pane, select the Office apps you want to install. For the purposes of this labe we have only selected Excel:
+Under the **Configure App Suite** pane, select the Office apps you want to install. For the purposes of this lab, only select Excel:
> [!div class="mx-imgBorder"]
> 
-Click **OK**.
+Select **OK**.
-In the **App Suite Information** pane, enter a unique suite name, and a suitable description.
+In the **App Suite Information** pane, enter a *unique* suite name, and a suitable description.
-Enter the name of the app suite as it is displayed in the company portal. Make sure that all suite names that you use are unique. If the same app suite name exists twice, only one of the apps is displayed to users in the company portal.
+Enter the name of the app suite as it's displayed in the company portal. Make sure that all suite names that you use are unique. If the same app suite name exists twice, only one of the apps is displayed to users in the company portal.
> [!div class="mx-imgBorder"]
> 
-Click **OK**.
+Select **OK**.
-In the **App Suite Settings** pane, select **Monthly** for the **Update channel** (any selection would be fine for the purposes of this lab). Also select **Yes** for **Automatically accept the app end user license agreement**:
+In the **App Suite Settings** pane, select **Monthly** for the **Update channel** (any selection is okay for the purposes of this lab). Also select **Yes** for **Automatically accept the app end user license agreement**:
-Click **OK** and then click **Add**.
+Select **OK** and, then select **Add**.
#### Assign the app to your Intune profile
> [!NOTE]
-> The following steps only work if you previously [created a GROUP in Intune and assigned a profile to it](#create-a-device-group). If you have not done that, please return to the main part of the lab and complete those steps before returning here.
+> The following steps only work if you previously [created a GROUP in Intune and assigned a profile to it](#create-a-device-group). If you haven't done that, return to the main part of the lab and complete those steps before returning here.
-In the **Intune > Client Apps > Apps** pane, select the Office package you already created to reveal its properties blade. Then click **Assignments** from the menu:
+In the **Intune > Client Apps > Apps** pane, select the Office package you already created to reveal its properties blade. Then select **Assignments** from the menu:
> [!div class="mx-imgBorder"]
> 
-Select **Add Group** to open the **Add group** pane that is related to the app.
+Select **Add Group** to open the **Add group** pane that's related to the app.
-For our purposes, select **Required** from the **Assignment type** dropdown menu.
+For the purposes of this lab, select **Required** from the **Assignment type** dropdown menu.
**Available for enrolled devices** means users install the app from the Company Portal app or Company Portal website.
@@ -862,7 +874,7 @@ Select **Included Groups** and assign the groups you previously created that wil
> [!div class="mx-imgBorder"]
> 
-In the **Select groups** pane, click the **Select** button.
+In the **Select groups** pane, choose the **Select** button.
In the **Assign group** pane, select **OK**.
@@ -876,23 +888,23 @@ At this point, you have completed steps to add Office to Intune.
For more information on adding Office apps to Intune, see [Assign Office 365 apps to Windows 10 devices with Microsoft Intune](/intune/apps-add-office365).
-If you installed both the win32 app (Notepad++) and Office (just Excel) per the instructions in this lab, your VM will show them in the apps list, although it could take several minutes to populate:
+If you installed both the win32 app (Notepad++) and Office (just Excel) per the instructions in this lab, your VM will show them in the apps list. It might take several minutes to populate.
## Glossary
-
-
\ No newline at end of file
+| | Description |
+|:---|:---|
+|**OEM** | Original Equipment Manufacturer |
+|**CSV** | Comma Separated Values |
+|**MPC** | Microsoft Partner Center |
+|**CSP** | Cloud Solution Provider |
+|**MSfB** | Microsoft Store for Business |
+|**Azure AD** | Azure Active Directory |
+|**4K HH** | 4K Hardware Hash |
+|**CBR** | Computer Build Report |
+|**EC** | Enterprise Commerce (server) |
+|**DDS** | Device Directory Service |
+|**OOBE** | Out of the Box Experience |
+|**VM** |Virtual Machine |
diff --git a/windows/security/TOC.yml b/windows/security/TOC.yml
index 70e61e303f..d150e02df0 100644
--- a/windows/security/TOC.yml
+++ b/windows/security/TOC.yml
@@ -1,9 +1,470 @@
-- name: Security
+
+- name: Windows security
href: index.yml
+- name: Zero Trust and Windows
+ href: zero-trust-windows-device-health.md
+ expanded: true
+- name: Hardware security
items:
- - name: Identity and access management
- href: identity-protection/index.md
- - name: Information protection
- href: information-protection/index.md
- - name: Threat protection
- href: threat-protection/index.md
+ - name: Overview
+ href: hardware.md
+ - name: Trusted Platform Module
+ href: information-protection/tpm/trusted-platform-module-top-node.md
+ items:
+ - name: Trusted Platform Module Overview
+ href: information-protection/tpm/trusted-platform-module-overview.md
+ - name: TPM fundamentals
+ href: information-protection/tpm/tpm-fundamentals.md
+ - name: How Windows uses the TPM
+ href: information-protection/tpm/how-windows-uses-the-tpm.md
+ - name: TPM Group Policy settings
+ href: information-protection/tpm/trusted-platform-module-services-group-policy-settings.md
+ - name: Back up the TPM recovery information to AD DS
+ href: information-protection/tpm/backup-tpm-recovery-information-to-ad-ds.md
+ - name: View status, clear, or troubleshoot the TPM
+ href: information-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md
+ - name: Understanding PCR banks on TPM 2.0 devices
+ href: information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md
+ - name: TPM recommendations
+ href: information-protection/tpm/tpm-recommendations.md
+ - name: Hardware-based root of trust
+ href: threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md
+ - name: System Guard Secure Launch and SMM protection
+ href: threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md
+ - name: Enable virtualization-based protection of code integrity
+ href: threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md
+ - name: Kernel DMA Protection
+ href: information-protection/kernel-dma-protection-for-thunderbolt.md
+ - name: Windows secured-core devices
+ href: /windows-hardware/design/device-experiences/oem-highly-secure
+- name: Operating system security
+ items:
+ - name: Overview
+ href: operating-system.md
+ - name: System security
+ items:
+ - name: Secure the Windows boot process
+ href: information-protection/secure-the-windows-10-boot-process.md
+ - name: Trusted Boot
+ href: trusted-boot.md
+ - name: Cryptography and certificate management
+ href: cryptography-certificate-mgmt.md
+ - name: The Windows Security app
+ href: threat-protection/windows-defender-security-center/windows-defender-security-center.md
+ items:
+ - name: Virus & threat protection
+ href: threat-protection\windows-defender-security-center\wdsc-virus-threat-protection.md
+ - name: Account protection
+ href: threat-protection\windows-defender-security-center\wdsc-account-protection.md
+ - name: Firewall & network protection
+ href: threat-protection\windows-defender-security-center\wdsc-firewall-network-protection.md
+ - name: App & browser control
+ href: threat-protection\windows-defender-security-center\wdsc-app-browser-control.md
+ - name: Device security
+ href: threat-protection\windows-defender-security-center\wdsc-device-security.md
+ - name: Device performance & health
+ href: threat-protection\windows-defender-security-center\wdsc-device-performance-health.md
+ - name: Family options
+ href: threat-protection\windows-defender-security-center\wdsc-family-options.md
+ - name: Security policy settings
+ href: threat-protection/security-policy-settings/security-policy-settings.md
+ - name: Security auditing
+ href: threat-protection/auditing/security-auditing-overview.md
+ - name: Encryption and data protection
+ href: encryption-data-protection.md
+ items:
+ - name: Encrypted Hard Drive
+ href: information-protection/encrypted-hard-drive.md
+ - name: BitLocker
+ href: information-protection/bitlocker/bitlocker-overview.md
+ items:
+ - name: Overview of BitLocker Device Encryption in Windows
+ href: information-protection/bitlocker/bitlocker-device-encryption-overview-windows-10.md
+ - name: BitLocker frequently asked questions (FAQ)
+ href: information-protection/bitlocker/bitlocker-frequently-asked-questions.yml
+ items:
+ - name: Overview and requirements
+ href: information-protection/bitlocker/bitlocker-overview-and-requirements-faq.yml
+ - name: Upgrading
+ href: information-protection/bitlocker/bitlocker-upgrading-faq.yml
+ - name: Deployment and administration
+ href: information-protection/bitlocker/bitlocker-deployment-and-administration-faq.yml
+ - name: Key management
+ href: information-protection/bitlocker/bitlocker-key-management-faq.yml
+ - name: BitLocker To Go
+ href: information-protection/bitlocker/bitlocker-to-go-faq.yml
+ - name: Active Directory Domain Services
+ href: information-protection/bitlocker/bitlocker-and-adds-faq.yml
+ - name: Security
+ href: information-protection/bitlocker/bitlocker-security-faq.yml
+ - name: BitLocker Network Unlock
+ href: information-protection/bitlocker/bitlocker-network-unlock-faq.yml
+ - name: General
+ href: information-protection/bitlocker/bitlocker-using-with-other-programs-faq.yml
+ - name: "Prepare your organization for BitLocker: Planning and policies"
+ href: information-protection/bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md
+ - name: BitLocker deployment comparison
+ href: information-protection/bitlocker/bitlocker-deployment-comparison.md
+ - name: BitLocker basic deployment
+ href: information-protection/bitlocker/bitlocker-basic-deployment.md
+ - name: Deploy BitLocker on Windows Server 2012 and later
+ href: information-protection/bitlocker/bitlocker-how-to-deploy-on-windows-server.md
+ - name: BitLocker management for enterprises
+ href: information-protection/bitlocker/bitlocker-management-for-enterprises.md
+ - name: Enable Network Unlock with BitLocker
+ href: information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md
+ - name: Use BitLocker Drive Encryption Tools to manage BitLocker
+ href: information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md
+ - name: Use BitLocker Recovery Password Viewer
+ href: information-protection/bitlocker/bitlocker-use-bitlocker-recovery-password-viewer.md
+ - name: BitLocker Group Policy settings
+ href: information-protection/bitlocker/bitlocker-group-policy-settings.md
+ - name: BCD settings and BitLocker
+ href: information-protection/bitlocker/bcd-settings-and-bitlocker.md
+ - name: BitLocker Recovery Guide
+ href: information-protection/bitlocker/bitlocker-recovery-guide-plan.md
+ - name: BitLocker Countermeasures
+ href: information-protection/bitlocker/bitlocker-countermeasures.md
+ - name: Protecting cluster shared volumes and storage area networks with BitLocker
+ href: information-protection/bitlocker/protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md
+ - name: Troubleshoot BitLocker
+ items:
+ - name: Troubleshoot BitLocker
+ href: information-protection/bitlocker/troubleshoot-bitlocker.md
+ - name: "BitLocker cannot encrypt a drive: known issues"
+ href: information-protection/bitlocker/ts-bitlocker-cannot-encrypt-issues.md
+ - name: "Enforcing BitLocker policies by using Intune: known issues"
+ href: information-protection/bitlocker/ts-bitlocker-intune-issues.md
+ - name: "BitLocker Network Unlock: known issues"
+ href: information-protection/bitlocker/ts-bitlocker-network-unlock-issues.md
+ - name: "BitLocker recovery: known issues"
+ href: information-protection/bitlocker/ts-bitlocker-recovery-issues.md
+ - name: "BitLocker configuration: known issues"
+ href: information-protection/bitlocker/ts-bitlocker-config-issues.md
+ - name: Troubleshoot BitLocker and TPM issues
+ items:
+ - name: "BitLocker cannot encrypt a drive: known TPM issues"
+ href: information-protection/bitlocker/ts-bitlocker-cannot-encrypt-tpm-issues.md
+ - name: "BitLocker and TPM: other known issues"
+ href: information-protection/bitlocker/ts-bitlocker-tpm-issues.md
+ - name: Decode Measured Boot logs to track PCR changes
+ href: information-protection/bitlocker/ts-bitlocker-decode-measured-boot-logs.md
+ - name: Configure S/MIME for Windows
+ href: identity-protection/configure-s-mime.md
+ - name: Network security
+ items:
+ - name: VPN technical guide
+ href: identity-protection/vpn/vpn-guide.md
+ items:
+ - name: VPN connection types
+ href: identity-protection/vpn/vpn-connection-type.md
+ - name: VPN routing decisions
+ href: identity-protection/vpn/vpn-routing.md
+ - name: VPN authentication options
+ href: identity-protection/vpn/vpn-authentication.md
+ - name: VPN and conditional access
+ href: identity-protection/vpn/vpn-conditional-access.md
+ - name: VPN name resolution
+ href: identity-protection/vpn/vpn-name-resolution.md
+ - name: VPN auto-triggered profile options
+ href: identity-protection/vpn/vpn-auto-trigger-profile.md
+ - name: VPN security features
+ href: identity-protection/vpn/vpn-security-features.md
+ - name: VPN profile options
+ href: identity-protection/vpn/vpn-profile-options.md
+ - name: How to configure Diffie Hellman protocol over IKEv2 VPN connections
+ href: identity-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md
+ - name: How to use single sign-on (SSO) over VPN and Wi-Fi connections
+ href: identity-protection/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md
+ - name: Optimizing Office 365 traffic with the Windows VPN client
+ href: identity-protection/vpn/vpn-office-365-optimization.md
+ - name: Windows Defender Firewall
+ href: threat-protection/windows-firewall/windows-firewall-with-advanced-security.md
+ - name: Windows security baselines
+ href: threat-protection/windows-security-configuration-framework/windows-security-baselines.md
+ items:
+ - name: Security Compliance Toolkit
+ href: threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md
+ - name: Get support
+ href: threat-protection/windows-security-configuration-framework/get-support-for-security-baselines.md
+ - name: Virus & threat protection
+ items:
+ - name: Overview
+ href: threat-protection/index.md
+ - name: Microsoft Defender Antivirus
+ href: https://docs.microsoft.com/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows
+ - name: Attack surface reduction rules
+ href: https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction
+ - name: Tamper protection
+ href: https://docs.microsoft.com/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection
+ - name: Network protection
+ href: https://docs.microsoft.com/microsoft-365/security/defender-endpoint/network-protection
+ - name: Controlled folder access
+ href: https://docs.microsoft.com/microsoft-365/security/defender-endpoint/controlled-folders
+ - name: Exploit protection
+ href: https://docs.microsoft.com/microsoft-365/security/defender-endpoint/exploit-protection
+ - name: Microsoft Defender for Endpoint
+ href: https://docs.microsoft.com/microsoft-365/security/defender-endpoint
+ - name: Security intelligence
+ href: threat-protection/intelligence/index.md
+ items:
+ - name: Understand malware & other threats
+ href: threat-protection/intelligence/understanding-malware.md
+ items:
+ - name: Prevent malware infection
+ href: threat-protection/intelligence/prevent-malware-infection.md
+ - name: Malware names
+ href: threat-protection/intelligence/malware-naming.md
+ - name: Coin miners
+ href: threat-protection/intelligence/coinminer-malware.md
+ - name: Exploits and exploit kits
+ href: threat-protection/intelligence/exploits-malware.md
+ - name: Fileless threats
+ href: threat-protection/intelligence/fileless-threats.md
+ - name: Macro malware
+ href: threat-protection/intelligence/macro-malware.md
+ - name: Phishing
+ href: threat-protection/intelligence/phishing.md
+ - name: Ransomware
+ href: /security/compass/human-operated-ransomware
+ - name: Rootkits
+ href: threat-protection/intelligence/rootkits-malware.md
+ - name: Supply chain attacks
+ href: threat-protection/intelligence/supply-chain-malware.md
+ - name: Tech support scams
+ href: threat-protection/intelligence/support-scams.md
+ - name: Trojans
+ href: threat-protection/intelligence/trojans-malware.md
+ - name: Unwanted software
+ href: threat-protection/intelligence/unwanted-software.md
+ - name: Worms
+ href: threat-protection/intelligence/worms-malware.md
+ - name: How Microsoft identifies malware and PUA
+ href: threat-protection/intelligence/criteria.md
+ - name: Submit files for analysis
+ href: threat-protection/intelligence/submission-guide.md
+ - name: Safety Scanner download
+ href: threat-protection/intelligence/safety-scanner-download.md
+ - name: Industry collaboration programs
+ href: threat-protection/intelligence/cybersecurity-industry-partners.md
+ items:
+ - name: Virus information alliance
+ href: threat-protection/intelligence/virus-information-alliance-criteria.md
+ - name: Microsoft virus initiative
+ href: threat-protection/intelligence/virus-initiative-criteria.md
+ - name: Coordinated malware eradication
+ href: threat-protection/intelligence/coordinated-malware-eradication.md
+ - name: Information for developers
+ items:
+ - name: Software developer FAQ
+ href: threat-protection/intelligence/developer-faq.yml
+ - name: Software developer resources
+ href: threat-protection/intelligence/developer-resources.md
+ - name: More Windows security
+ items:
+ - name: Override Process Mitigation Options to help enforce app-related security policies
+ href: threat-protection/override-mitigation-options-for-app-related-security-policies.md
+ - name: Use Windows Event Forwarding to help with intrusion detection
+ href: threat-protection/use-windows-event-forwarding-to-assist-in-intrusion-detection.md
+ - name: Block untrusted fonts in an enterprise
+ href: threat-protection/block-untrusted-fonts-in-enterprise.md
+ - name: Windows Information Protection (WIP)
+ href: information-protection/windows-information-protection/protect-enterprise-data-using-wip.md
+ items:
+ - name: Create a WIP policy using Microsoft Intune
+ href: information-protection/windows-information-protection/overview-create-wip-policy.md
+ items:
+ - name: Create a WIP policy with MDM using the Azure portal for Microsoft Intune
+ href: information-protection/windows-information-protection/create-wip-policy-using-intune-azure.md
+ items:
+ - name: Deploy your WIP policy using the Azure portal for Microsoft Intune
+ href: information-protection/windows-information-protection/deploy-wip-policy-using-intune-azure.md
+ - name: Associate and deploy a VPN policy for WIP using the Azure portal for Microsoft Intune
+ href: information-protection/windows-information-protection/create-vpn-and-wip-policy-using-intune-azure.md
+ - name: Create and verify an EFS Data Recovery Agent (DRA) certificate
+ href: information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md
+ - name: Determine the Enterprise Context of an app running in WIP
+ href: information-protection/windows-information-protection/wip-app-enterprise-context.md
+ - name: Create a WIP policy using Microsoft Endpoint Configuration Manager
+ href: information-protection/windows-information-protection/overview-create-wip-policy-configmgr.md
+ items:
+ - name: Create and deploy a WIP policy using Microsoft Endpoint Configuration Manager
+ href: information-protection/windows-information-protection/create-wip-policy-using-configmgr.md
+ - name: Create and verify an EFS Data Recovery Agent (DRA) certificate
+ href: information-protection/windows-information-protection/create-and-verify-an-efs-dra-certificate.md
+ - name: Determine the Enterprise Context of an app running in WIP
+ href: information-protection/windows-information-protection/wip-app-enterprise-context.md
+ - name: Mandatory tasks and settings required to turn on WIP
+ href: information-protection/windows-information-protection/mandatory-settings-for-wip.md
+ - name: Testing scenarios for WIP
+ href: information-protection/windows-information-protection/testing-scenarios-for-wip.md
+ - name: Limitations while using WIP
+ href: information-protection/windows-information-protection/limitations-with-wip.md
+ - name: How to collect WIP audit event logs
+ href: information-protection/windows-information-protection/collect-wip-audit-event-logs.md
+ - name: General guidance and best practices for WIP
+ href: information-protection/windows-information-protection/guidance-and-best-practices-wip.md
+ items:
+ - name: Enlightened apps for use with WIP
+ href: information-protection/windows-information-protection/enlightened-microsoft-apps-and-wip.md
+ - name: Unenlightened and enlightened app behavior while using WIP
+ href: information-protection/windows-information-protection/app-behavior-with-wip.md
+ - name: Recommended Enterprise Cloud Resources and Neutral Resources network settings with WIP
+ href: information-protection/windows-information-protection/recommended-network-definitions-for-wip.md
+ - name: Using Outlook Web Access with WIP
+ href: information-protection/windows-information-protection/using-owa-with-wip.md
+ - name: Fine-tune WIP Learning
+ href: information-protection/windows-information-protection/wip-learning.md
+- name: Application security
+ items:
+ - name: Overview
+ href: apps.md
+ - name: Windows Defender Application Control and virtualization-based protection of code integrity
+ href: threat-protection/device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md
+ - name: Windows Defender Application Control
+ href: threat-protection\windows-defender-application-control\windows-defender-application-control.md
+ - name: Microsoft Defender Application Guard
+ href: threat-protection\microsoft-defender-application-guard\md-app-guard-overview.md
+ - name: Windows Sandbox
+ href: threat-protection/windows-sandbox/windows-sandbox-overview.md
+ items:
+ - name: Windows Sandbox architecture
+ href: threat-protection/windows-sandbox/windows-sandbox-architecture.md
+ - name: Windows Sandbox configuration
+ href: threat-protection/windows-sandbox/windows-sandbox-configure-using-wsb-file.md
+ - name: Microsoft Defender SmartScreen overview
+ href: threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md
+ - name: Configure S/MIME for Windows
+ href: identity-protection\configure-s-mime.md
+ - name: Windows Credential Theft Mitigation Guide Abstract
+ href: identity-protection\windows-credential-theft-mitigation-guide-abstract.md
+- name: User security and secured identity
+ items:
+ - name: Overview
+ href: identity.md
+ - name: Windows Hello for Business
+ href: identity-protection/hello-for-business/index.yml
+ - name: Windows credential theft mitigation guide
+ href: identity-protection/windows-credential-theft-mitigation-guide-abstract.md
+ - name: Enterprise Certificate Pinning
+ href: identity-protection/enterprise-certificate-pinning.md
+ - name: Protect derived domain credentials with Credential Guard
+ href: identity-protection/credential-guard/credential-guard.md
+ items:
+ - name: How Credential Guard works
+ href: identity-protection/credential-guard/credential-guard-how-it-works.md
+ - name: Credential Guard Requirements
+ href: identity-protection/credential-guard/credential-guard-requirements.md
+ - name: Manage Credential Guard
+ href: identity-protection/credential-guard/credential-guard-manage.md
+ - name: Hardware readiness tool
+ href: identity-protection/credential-guard/dg-readiness-tool.md
+ - name: Credential Guard protection limits
+ href: identity-protection/credential-guard/credential-guard-protection-limits.md
+ - name: Considerations when using Credential Guard
+ href: identity-protection/credential-guard/credential-guard-considerations.md
+ - name: "Credential Guard: Additional mitigations"
+ href: identity-protection/credential-guard/additional-mitigations.md
+ - name: "Credential Guard: Known issues"
+ href: identity-protection/credential-guard/credential-guard-known-issues.md
+ - name: Protect Remote Desktop credentials with Remote Credential Guard
+ href: identity-protection/remote-credential-guard.md
+ - name: Technical support policy for lost or forgotten passwords
+ href: identity-protection/password-support-policy.md
+ - name: Access Control Overview
+ href: identity-protection/access-control/access-control.md
+ items:
+ - name: Dynamic Access Control Overview
+ href: identity-protection/access-control/dynamic-access-control.md
+ - name: Security identifiers
+ href: identity-protection/access-control/security-identifiers.md
+ - name: Security Principals
+ href: identity-protection/access-control/security-principals.md
+ - name: Local Accounts
+ href: identity-protection/access-control/local-accounts.md
+ - name: Active Directory Accounts
+ href: identity-protection/access-control/active-directory-accounts.md
+ - name: Microsoft Accounts
+ href: identity-protection/access-control/microsoft-accounts.md
+ - name: Service Accounts
+ href: identity-protection/access-control/service-accounts.md
+ - name: Active Directory Security Groups
+ href: identity-protection/access-control/active-directory-security-groups.md
+ - name: Special Identities
+ href: identity-protection/access-control/special-identities.md
+ - name: User Account Control
+ href: identity-protection/user-account-control/user-account-control-overview.md
+ items:
+ - name: How User Account Control works
+ href: identity-protection/user-account-control/how-user-account-control-works.md
+ - name: User Account Control security policy settings
+ href: identity-protection/user-account-control/user-account-control-security-policy-settings.md
+ - name: User Account Control Group Policy and registry key settings
+ href: identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md
+ - name: Smart Cards
+ href: identity-protection/smart-cards/smart-card-windows-smart-card-technical-reference.md
+ items:
+ - name: How Smart Card Sign-in Works in Windows
+ href: identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md
+ items:
+ - name: Smart Card Architecture
+ href: identity-protection/smart-cards/smart-card-architecture.md
+ - name: Certificate Requirements and Enumeration
+ href: identity-protection/smart-cards/smart-card-certificate-requirements-and-enumeration.md
+ - name: Smart Card and Remote Desktop Services
+ href: identity-protection/smart-cards/smart-card-and-remote-desktop-services.md
+ - name: Smart Cards for Windows Service
+ href: identity-protection/smart-cards/smart-card-smart-cards-for-windows-service.md
+ - name: Certificate Propagation Service
+ href: identity-protection/smart-cards/smart-card-certificate-propagation-service.md
+ - name: Smart Card Removal Policy Service
+ href: identity-protection/smart-cards/smart-card-removal-policy-service.md
+ - name: Smart Card Tools and Settings
+ href: identity-protection/smart-cards/smart-card-tools-and-settings.md
+ items:
+ - name: Smart Cards Debugging Information
+ href: identity-protection/smart-cards/smart-card-debugging-information.md
+ - name: Smart Card Group Policy and Registry Settings
+ href: identity-protection/smart-cards/smart-card-group-policy-and-registry-settings.md
+ - name: Smart Card Events
+ href: identity-protection/smart-cards/smart-card-events.md
+ - name: Virtual Smart Cards
+ href: identity-protection/virtual-smart-cards/virtual-smart-card-overview.md
+ items:
+ - name: Understanding and Evaluating Virtual Smart Cards
+ href: identity-protection/virtual-smart-cards/virtual-smart-card-understanding-and-evaluating.md
+ items:
+ - name: "Get Started with Virtual Smart Cards: Walkthrough Guide"
+ href: identity-protection/virtual-smart-cards/virtual-smart-card-get-started.md
+ - name: Use Virtual Smart Cards
+ href: identity-protection/virtual-smart-cards/virtual-smart-card-use-virtual-smart-cards.md
+ - name: Deploy Virtual Smart Cards
+ href: identity-protection/virtual-smart-cards/virtual-smart-card-deploy-virtual-smart-cards.md
+ - name: Evaluate Virtual Smart Card Security
+ href: identity-protection/virtual-smart-cards/virtual-smart-card-evaluate-security.md
+ - name: Tpmvscmgr
+ href: identity-protection/virtual-smart-cards/virtual-smart-card-tpmvscmgr.md
+- name: Cloud services
+ items:
+ - name: Overview
+ href: cloud.md
+ - name: Mobile device management
+ href: https://docs.microsoft.com/windows/client-management/mdm/
+ - name: Windows 365 Cloud PCs
+ href: /windows-365/overview
+ - name: Azure Virtual Desktop
+ href: /azure/virtual-desktop/
+- name: Security foundations
+ items:
+ - name: Overview
+ href: security-foundations.md
+ - name: Microsoft Security Development Lifecycle
+ href: threat-protection/msft-security-dev-lifecycle.md
+ - name: Microsoft Bug Bounty Program
+ href: threat-protection/microsoft-bug-bounty-program.md
+ - name: FIPS 140-2 Validation
+ href: threat-protection/fips-140-validation.md
+ - name: Common Criteria Certifications
+ href: threat-protection/windows-platform-common-criteria.md
+- name: Windows Privacy
+ href: /windows/privacy/windows-10-and-privacy-compliance
diff --git a/windows/security/apps.md b/windows/security/apps.md
new file mode 100644
index 0000000000..e376d06d98
--- /dev/null
+++ b/windows/security/apps.md
@@ -0,0 +1,28 @@
+---
+title: Windows application security
+description: Get an overview of application security in Windows 10 and Windows 11
+ms.reviewer:
+manager: dansimp
+ms.author: dansimp
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: dansimp
+ms.collection: M365-security-compliance
+ms.prod: m365-security
+ms.technology: windows-sec
+---
+
+# Windows application security
+
+Cyber-criminals regularly gain access to valuable data by hacking applications. This can include “code injection” attacks, in which attackers insert malicious code that can tamper with data, or even destroy it. An application may have its security misconfigured, leaving open doors for hackers. Or vital customer and corporate information may leave sensitive data exposed. Windows protects your valuable data with layers of application security.
+
+The following table summarizes the Windows security features and capabilities for apps:OEM Original Equipment Manufacturer CSV Comma Separated Values MPC Microsoft Partner Center CSP Cloud Solution Provider MSfB Microsoft Store for Business AAD Azure Active Directory 4K HH 4K Hardware Hash CBR Computer Build Report EC Enterprise Commerce (server) DDS Device Directory Service OOBE Out of the Box Experience VM Virtual Machine
+
+| Security Measures | Features & Capabilities |
+|:---|:---|
+| Windows Defender Application Control | Application control is one of the most effective security controls to prevent unwanted or malicious code from running. It moves away from an application trust model where all code is assumed trustworthy to one where apps must earn trust to run. Learn more: [Application Control for Windows](threat-protection/windows-defender-application-control/windows-defender-application-control.md) |
+| Microsoft Defender Application Guard | Application Guard uses chip-based hardware isolation to isolate untrusted websites and untrusted Office files, seamlessly running untrusted websites and files in an isolated Hyper-V-based container, separate from the desktop operating system, and making sure that anything that happens within the container remains isolated from the desktop. Learn more [Microsoft Defender Application Guard overview](threat-protection/microsoft-defender-application-guard/md-app-guard-overview.md). |
+| Windows Sandbox | Windows Sandbox provides a lightweight desktop environment to safely run applications in isolation. Software installed inside the Windows Sandbox environment remains "sandboxed" and runs separately from the host machine. A sandbox is temporary. When it's closed, all the software and files and the state are deleted. You get a brand-new instance of the sandbox every time you open the application. Learn more: [Windows Sandbox](threat-protection\windows-sandbox\windows-sandbox-overview.md)
+| Email Security | With Windows S/MIME email security, users can encrypt outgoing messages and attachments, so only intended recipients with digital identification (ID)—also called a certificate—can read them. Users can digitally sign a message, which verifies the identity of the sender and ensures the message has not been tampered with.[Configure S/MIME for Windows 10](identity-protection/configure-s-mime.md) |
+| Microsoft Defender SmartScreen | Microsoft Defender SmartScreen protects against phishing or malware websites and applications, and the downloading of potentially malicious files. Learn more: [Microsoft Defender SmartScreen overview](threat-protection/microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md) |
diff --git a/windows/security/cloud.md b/windows/security/cloud.md
new file mode 100644
index 0000000000..7bccc2aa84
--- /dev/null
+++ b/windows/security/cloud.md
@@ -0,0 +1,39 @@
+---
+title: Windows and cloud security
+description: Get an overview of cloud services supported in Windows 11 and Windows 10
+ms.reviewer:
+author: denisebmsft
+ms.author: deniseb
+manager: dansimp
+audience: ITPro
+ms.topic: conceptual
+ms.date: 09/20/2021
+ms.localizationpriority: medium
+ms.custom:
+f1.keywords: NOCSH
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+search.appverid: MET150
+ms.collection: M365-security-compliance
+ms.prod: m365-security
+ms.technology: windows-sec
+---
+
+# Windows and cloud security
+
+Today’s workforce has more freedom and mobility than ever before. With the growth of enterprise cloud adoption, increased personal app usage, and increased use of third-party apps, the risk of data exposure is at its highest. Enabling Zero-Trust protection, Windows 11 works with Microsoft cloud services. Windows and cloud services together help organizations strengthen their multi-cloud security infrastructure, protect hybrid cloud workloads, and safeguard sensitive information while controlling access and mitigating threats.
+
+Windows 11 includes the cloud services that are listed in the following table:
+
+| Service type | Description |
+|:---|:---|
+| Mobile device management (MDM) and Microsoft Endpoint Manager | Windows 11 supports MDM, an enterprise management solution to help you manage your organization's security policies and business applications. MDM enables your security team to manage devices without compromising people's privacy on their personal devices.
Non-Microsoft servers can be used to manage Windows 11 by using industry standard protocols.
To learn more, see [Mobile device management](/windows/client-management/mdm/). |
+| Microsoft account | When users add their Microsoft account to Windows 11, they can bring their Windows, Microsoft Edge, Xbox settings, web page favorites, files, photos, and more across their devices.
The Microsoft account enables people to manage everything in one place. They can keep tabs on their subscriptions and order history, organize their family's digital life, update their privacy and security settings, track the health and safety of their devices, and even get rewards.
To learn more, see [Microsoft Accounts](identity-protection/access-control/microsoft-accounts.md).|
+| OneDrive | OneDrive is your online storage for your files, photos, and data. OneDrive provides extra security, backup, and restore options for important files and photos. With options for both personal and business, people can use OneDrive to store and protect files in the cloud, allowing users to them on their laptops, desktops, and mobile devices. If a device is lost or stolen, people can quickly recover all their important files, photos, and data.
The OneDrive Personal Vault also provides protection for your most sensitive files without losing the convenience of anywhere access. Files are secured by identity verification, yet easily accessible to users across their devices. [Learn how to set up your Personal Vault](https://support.microsoft.com/office/protect-your-onedrive-files-in-personal-vault-6540ef37-e9bf-4121-a773-56f98dce78c4).
In the event of a ransomware attack, OneDrive can enable recovery. And if you’ve configured backups in OneDrive, you have more options to mitigate and recover from a ransomware attack. [Learn more about how to recover from a ransomware attack using Office 365](/microsoft-365/security/office-365-security/recover-from-ransomware). |
+| Access to Azure Active Directory | Microsoft Azure Active Directory (Azure AD) is a complete cloud identity and access management solution for managing identities and directories, enabling access to applications, and protecting identities from security threats.
With Azure AD, you can manage and secure identities for your employees, partners, and customers to access the applications and services they need. Windows 11 works seamlessly with Azure Active Directory to provide secure access, identity management, and single sign-on to apps and services from anywhere.
To learn more, see [What is Azure AD?](/azure/active-directory/fundamentals/active-directory-whatis) |
+
+## Next steps
+
+- [Learn more about MDM and Windows 11](/windows/client-management/mdm/)
+- [Learn more about Windows security](index.yml)
\ No newline at end of file
diff --git a/windows/security/cryptography-certificate-mgmt.md b/windows/security/cryptography-certificate-mgmt.md
new file mode 100644
index 0000000000..7c781c1bdf
--- /dev/null
+++ b/windows/security/cryptography-certificate-mgmt.md
@@ -0,0 +1,43 @@
+---
+title: Cryptography and Certificate Management
+description: Get an overview of cryptography and certificate management in Windows
+search.appverid: MET150
+author: denisebmsft
+ms.author: deniseb
+manager: dansimp
+audience: ITPro
+ms.topic: conceptual
+ms.date: 09/07/2021
+ms.prod: m365-security
+ms.technology: windows-sec
+ms.localizationpriority: medium
+ms.collection:
+ms.custom:
+ms.reviewer: skhadeer, raverma
+f1.keywords: NOCSH
+---
+
+# Cryptography and Certificate Management
+
+
+## Cryptography
+
+Cryptography uses code to convert data so that only a specific recipient can read it by using a key. Cryptography enforces privacy to prevent anyone except the intended recipient from reading data, integrity to ensure data is free of tampering, and authentication that verifies identity to ensure that communication is secure. The cryptography stack in Windows extends from the chip to the cloud enabling Windows, applications, and services protect system and user secrets.
+
+Cryptography in Windows is Federal Information Processing Standards (FIPS) 140 certified. FIPS 140 certification ensures that US government approved algorithms are being used (RSA for signing, ECDH with NIST curves for key agreement, AES for symmetric encryption, and SHA2 for hashing), tests module integrity to prove that no tampering has occurred and proves the randomness for entropy sources.
+
+Windows cryptographic modules provide low-level primitives such as:
+
+- Random number generators (RNG)
+- Symmetric and asymmetric encryption (support for AES 128/256 and RSA 512 to 16384, in 64-bit increments and ECDSA over NIST-standard prime curves P-256, P-384, P-521)
+- Hashing (support for SHA-256, SHA-384, and SHA-512)
+- Signing and verification (padding support for OAEP, PSS, PKCS1)
+- Key agreement and key derivation (support for ECDH over NIST-standard prime curves P-256, P-384, P-521, and HKDF)
+
+These modules are natively exposed on Windows through the Crypto API (CAPI) and the Cryptography Next Generation API (CNG) which is powered by Microsoft's open-source cryptographic library SymCrypt. Application developers can use these APIs to perform low-level cryptographic operations (BCrypt), key storage operations (NCrypt), protect static data (DPAPI), and securely share secrets (DPAPI-NG).
+
+## Certificate management
+
+Windows offers several APIs to operate and manage certificates. Certificates are crucial to public key infrastructure (PKI) as they provide the means for safeguarding and authenticating information. Certificates are electronic documents used to claim ownership of a public key. Public keys are used to prove server and client identity, validate code integrity, and used in secure emails. Windows offers users the ability to auto-enroll and renew certificates in Active Directory with Group Policy to reduce the risk of potential outages due to certificate expiration or misconfiguration. Windows validates certificates through an automatic update mechanism that downloads certificate trust lists (CTL) daily. Trusted root certificates are used by applications as a reference for trustworthy PKI hierarchies and digital certificates. The list of trusted and untrusted certificates are stored in the CTL and can be updated by administrators. In the case of certificate revocation, a certificate is added as an untrusted certificate in the CTL causing it to be revoked globally across user devices immediately.
+
+Windows also offers enterprise certificate pinning to help reduce man-in-the-middle attacks by enabling users to protect their internal domain names from chaining to unwanted certificates. A web application's server authentication certificate chain is checked to ensure it matches a restricted set of certificates. Any web application triggering a name mismatch will start event logging and prevent user access from Edge or Internet Explorer.
diff --git a/windows/security/docfx.json b/windows/security/docfx.json
index 3a997cd1e9..d1a625e8bd 100644
--- a/windows/security/docfx.json
+++ b/windows/security/docfx.json
@@ -48,7 +48,7 @@
"folder_relative_path_in_docset": "./"
}
},
- "titleSuffix": "Microsoft 365 Security",
+ "titleSuffix": "Windows security",
"contributors_to_exclude": [
"rjagiewich",
"traya1",
diff --git a/windows/security/encryption-data-protection.md b/windows/security/encryption-data-protection.md
new file mode 100644
index 0000000000..359afde71f
--- /dev/null
+++ b/windows/security/encryption-data-protection.md
@@ -0,0 +1,54 @@
+---
+title: Encryption and data protection in Windows
+description: Get an overview encryption and data protection in Windows 11 and Windows 10
+search.appverid: MET150
+author: denisebmsft
+ms.author: deniseb
+manager: dansimp
+audience: ITPro
+ms.topic: conceptual
+ms.date: 09/08/2021
+ms.prod: m365-security
+ms.technology: windows-sec
+ms.localizationpriority: medium
+ms.collection:
+ms.custom:
+ms.reviewer: deepakm, rafals
+f1.keywords: NOCSH
+---
+
+# Encryption and data protection in Windows client
+
+When people travel with their computers and devices, their confidential information travels with them. Wherever confidential data is stored, it must be protected against unauthorized access, whether through physical device theft or from malicious applications.
+Encryption and data protection features include:
+
+- Encrypted Hard Drive
+- BitLocker
+
+## Encrypted Hard Drive
+
+Encrypted Hard Drive uses the rapid encryption provided by BitLocker Drive Encryption to enhance data security and management.
+By offloading the cryptographic operations to hardware, encrypted hard drives increase BitLocker performance and reduce CPU usage and power consumption. Because encrypted hard drives encrypt data quickly, enterprise devices can expand BitLocker deployment with minimal impact on productivity.
+
+Encrypted hard drives provide:
+
+- Better performance: Encryption hardware, integrated into the drive controller, allows the drive to operate at full data rate with no performance degradation.
+- Strong security based in hardware: Encryption is always "on" and the keys for encryption never leave the hard drive. User authentication is performed by the drive before it will unlock, independently of the operating system.
+- Ease of use: Encryption is transparent to the user, and the user does not need to enable it. Encrypted hard drives are easily erased using on-board encryption key; there is no need to re-encrypt data on the drive.
+- Lower cost of ownership: There is no need for new infrastructure to manage encryption keys, since BitLocker uses your existing infrastructure to store recovery information. Your device operates more efficiently because processor cycles do not need to be used for the encryption process.
+
+Encrypted hard drives are a new class of hard drives that are self-encrypted at a hardware level and allow for full disk hardware encryption.
+
+## BitLocker
+
+BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers.
+
+BitLocker provides encryption for the operating system, fixed data, and removable data drives, using technologies like hardware security test interface (HSTI), Modern Standby, UEFI Secure Boot, and TPM.
+
+Windows consistently improves data protection by improving existing options and providing new strategies.
+
+
+## See also
+
+- [Encrypted Hard Drive](information-protection/encrypted-hard-drive.md)
+- [BitLocker](information-protection/bitlocker/bitlocker-overview.md)
diff --git a/windows/security/hardware.md b/windows/security/hardware.md
new file mode 100644
index 0000000000..435dd886c2
--- /dev/null
+++ b/windows/security/hardware.md
@@ -0,0 +1,27 @@
+---
+title: Windows hardware security
+description: Get an overview of hardware security in Windows 11 and Windows 10
+ms.reviewer:
+manager: dansimp
+ms.author: dansimp
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: dansimp
+ms.collection: M365-security-compliance
+ms.prod: m365-security
+ms.technology: windows-sec
+---
+
+# Windows hardware security
+
+Modern threats require modern security with a strong alignment between hardware security and software security techniques to keep users, data, and devices protected. The operating system alone cannot protect from the wide range of tools and techniques cybercriminals use to compromise a computer deep inside its silicon. Once inside, intruders can be difficult to detect while engaging in multiple nefarious activities from stealing important data to capturing email addresses and other sensitive pieces of information.
+These new threats call for computing hardware that is secure down to the very core, including hardware chips and processors. Microsoft and our partners, including chip and device manufacturers, have worked together to integrate powerful security capabilities across software, firmware, and hardware.
+
+| Security Measures | Features & Capabilities |
+|:---|:---|
+| Trusted Platform Module (TPM) | A Trusted Platform Module (TPM) is designed to provide hardware-based security-related functions and help prevent unwanted tampering. TPMs provide security and privacy benefits for system hardware, platform owners, and users.
A TPM chip is a secure crypto-processor that helps with actions such as generating, storing, and limiting the use of cryptographic keys. Many TPMs include multiple physical security mechanisms to make it tamper resistant and prevent malicious software from tampering with the security functions of the TPM.
Learn more about the [Trusted Platform Module](information-protection/tpm/trusted-platform-module-top-node.md). |
+| Hardware-based root of trust with Windows Defender System Guard | To protect critical resources such as Windows authentication, single sign-on tokens, Windows Hello, and the Virtual Trusted Platform Module, a system's firmware and hardware must be trustworthy.
Windows Defender System Guard helps protect and maintain the integrity of the system as it starts up and validate that system integrity has truly been maintained through local and remote attestation.
Learn more about [How a hardware-based root of trust helps protect Windows](threat-protection/windows-defender-system-guard/how-hardware-based-root-of-trust-helps-protect-windows.md) and [System Guard Secure Launch and SMM protection](threat-protection/windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md). |
+| Enable virtualization-based protection of code integrity | Hypervisor-protected Code Integrity (HVCI) is a virtualization based security (VBS) feature available in Windows. In the Windows Device Security settings, HVCI is referred to as Memory Integrity.
HVCI and VBS improve the threat model of Windows and provide stronger protections against malware trying to exploit the Windows Kernel. VBS uses the Windows Hypervisor to create an isolated virtual environment that becomes the root of trust of the OS that assumes the kernel can be compromised. HVCI is a critical component that protects and hardens this virtual environment by running kernel mode code integrity within it and restricting kernel memory allocations that could be used to compromise the system.
Learn more: [Enable virtualization-based protection of code integrity](threat-protection/device-guard/enable-virtualization-based-protection-of-code-integrity.md).
+| Kernel Direct Memory Access (DMA) Protection | PCIe hot plug devices such as Thunderbolt, USB4, and CFexpress allow users to attach new classes of external peripherals, including graphics cards or other PCI devices, to their PCs with an experience identical to USB. Because PCI hot plug ports are external and easily accessible, PCs are susceptible to drive-by Direct Memory Access (DMA) attacks. Memory access protection (also known as Kernel DMA Protection) protects PCs against drive-by DMA attacks that use PCIe hot plug devices by limiting these external peripherals from being able to directly copy memory when the user has locked their PC.
Learn more about [Kernel DMA Protection](information-protection/kernel-dma-protection-for-thunderbolt.md). |
+| Secured-core PCs | Microsoft is working closely with OEM partners and silicon vendors to build Secured-core PCs that feature deeply integrated hardware, firmware, and software to ensure enhanced security for devices, identities, and data.
Secured-core PCs provide protections that are useful against sophisticated attacks and can provide increased assurance when handling mission-critical data in some of the most data-sensitive industries, such as healthcare workers that handle medical records and other personally identifiable information (PII), commercial roles that handle high business impact and highly sensitive data, such as a financial controller with earnings data.
Learn more about [Secured-core PCs](/windows-hardware/design/device-experiences/oem-highly-secure).|
diff --git a/windows/security/identity-protection/TOC.yml b/windows/security/identity-protection/TOC.yml
deleted file mode 100644
index 5e4680879e..0000000000
--- a/windows/security/identity-protection/TOC.yml
+++ /dev/null
@@ -1,132 +0,0 @@
-- name: Identity and access management
- href: index.md
- items:
- - name: Technical support policy for lost or forgotten passwords
- href: password-support-policy.md
- - name: Access Control Overview
- href: access-control/access-control.md
- items:
- - name: Dynamic Access Control Overview
- href: access-control/dynamic-access-control.md
- - name: Security identifiers
- href: access-control/security-identifiers.md
- - name: Security Principals
- href: access-control/security-principals.md
- - name: Local Accounts
- href: access-control/local-accounts.md
- - name: Active Directory Accounts
- href: access-control/active-directory-accounts.md
- - name: Microsoft Accounts
- href: access-control/microsoft-accounts.md
- - name: Service Accounts
- href: access-control/service-accounts.md
- - name: Active Directory Security Groups
- href: access-control/active-directory-security-groups.md
- - name: Special Identities
- href: access-control/special-identities.md
- - name: User Account Control
- href: user-account-control\user-account-control-overview.md
- items:
- - name: How User Account Control works
- href: user-account-control\how-user-account-control-works.md
- - name: User Account Control security policy settings
- href: user-account-control\user-account-control-security-policy-settings.md
- - name: User Account Control Group Policy and registry key settings
- href: user-account-control\user-account-control-group-policy-and-registry-key-settings.md
- - name: Windows Hello for Business
- href: hello-for-business/index.yml
- - name: Protect derived domain credentials with Credential Guard
- href: credential-guard/credential-guard.md
- items:
- - name: How Credential Guard works
- href: credential-guard/credential-guard-how-it-works.md
- - name: Credential Guard Requirements
- href: credential-guard/credential-guard-requirements.md
- - name: Manage Credential Guard
- href: credential-guard/credential-guard-manage.md
- - name: Hardware readiness tool
- href: credential-guard/dg-readiness-tool.md
- - name: Credential Guard protection limits
- href: credential-guard/credential-guard-protection-limits.md
- - name: Considerations when using Credential Guard
- href: credential-guard/credential-guard-considerations.md
- - name: "Credential Guard: Additional mitigations"
- href: credential-guard/additional-mitigations.md
- - name: "Credential Guard: Known issues"
- href: credential-guard/credential-guard-known-issues.md
- - name: Protect Remote Desktop credentials with Remote Credential Guard
- href: remote-credential-guard.md
- - name: Smart Cards
- href: smart-cards/smart-card-windows-smart-card-technical-reference.md
- items:
- - name: How Smart Card Sign-in Works in Windows
- href: smart-cards/smart-card-how-smart-card-sign-in-works-in-windows.md
- items:
- - name: Smart Card Architecture
- href: smart-cards/smart-card-architecture.md
- - name: Certificate Requirements and Enumeration
- href: smart-cards/smart-card-certificate-requirements-and-enumeration.md
- - name: Smart Card and Remote Desktop Services
- href: smart-cards/smart-card-and-remote-desktop-services.md
- - name: Smart Cards for Windows Service
- href: smart-cards/smart-card-smart-cards-for-windows-service.md
- - name: Certificate Propagation Service
- href: smart-cards/smart-card-certificate-propagation-service.md
- - name: Smart Card Removal Policy Service
- href: smart-cards/smart-card-removal-policy-service.md
- - name: Smart Card Tools and Settings
- href: smart-cards/smart-card-tools-and-settings.md
- items:
- - name: Smart Cards Debugging Information
- href: smart-cards/smart-card-debugging-information.md
- - name: Smart Card Group Policy and Registry Settings
- href: smart-cards/smart-card-group-policy-and-registry-settings.md
- - name: Smart Card Events
- href: smart-cards/smart-card-events.md
- - name: Virtual Smart Cards
- href: virtual-smart-cards\virtual-smart-card-overview.md
- items:
- - name: Understanding and Evaluating Virtual Smart Cards
- href: virtual-smart-cards\virtual-smart-card-understanding-and-evaluating.md
- items:
- - name: "Get Started with Virtual Smart Cards: Walkthrough Guide"
- href: virtual-smart-cards\virtual-smart-card-get-started.md
- - name: Use Virtual Smart Cards
- href: virtual-smart-cards\virtual-smart-card-use-virtual-smart-cards.md
- - name: Deploy Virtual Smart Cards
- href: virtual-smart-cards\virtual-smart-card-deploy-virtual-smart-cards.md
- - name: Evaluate Virtual Smart Card Security
- href: virtual-smart-cards\virtual-smart-card-evaluate-security.md
- - name: Tpmvscmgr
- href: virtual-smart-cards\virtual-smart-card-tpmvscmgr.md
- - name: Enterprise Certificate Pinning
- href: enterprise-certificate-pinning.md
- - name: Windows 10 credential theft mitigation guide abstract
- href: windows-credential-theft-mitigation-guide-abstract.md
- - name: Configure S/MIME for Windows 10
- href: configure-s-mime.md
- - name: VPN technical guide
- href: vpn\vpn-guide.md
- items:
- - name: VPN connection types
- href: vpn\vpn-connection-type.md
- - name: VPN routing decisions
- href: vpn\vpn-routing.md
- - name: VPN authentication options
- href: vpn\vpn-authentication.md
- - name: VPN and conditional access
- href: vpn\vpn-conditional-access.md
- - name: VPN name resolution
- href: vpn\vpn-name-resolution.md
- - name: VPN auto-triggered profile options
- href: vpn\vpn-auto-trigger-profile.md
- - name: VPN security features
- href: vpn\vpn-security-features.md
- - name: VPN profile options
- href: vpn\vpn-profile-options.md
- - name: How to configure Diffie Hellman protocol over IKEv2 VPN connections
- href: vpn\how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md
- - name: How to use single sign-on (SSO) over VPN and Wi-Fi connections
- href: vpn\how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md
- - name: Optimizing Office 365 traffic with the Windows 10 VPN client
- href: vpn\vpn-office-365-optimization.md
diff --git a/windows/security/identity-protection/access-control/active-directory-security-groups.md b/windows/security/identity-protection/access-control/active-directory-security-groups.md
index 9b9c40977d..f191ffdf77 100644
--- a/windows/security/identity-protection/access-control/active-directory-security-groups.md
+++ b/windows/security/identity-protection/access-control/active-directory-security-groups.md
@@ -1,5 +1,5 @@
---
-title: Active Directory Security Groups (Windows 10)
+title: Active Directory Security Groups
description: Active Directory Security Groups
ms.prod: w10
ms.mktglfcycl: deploy
@@ -12,14 +12,15 @@ manager: dansimp
ms.collection: M365-identity-device-management
ms.topic: article
ms.localizationpriority: medium
-ms.date: 04/19/2017
+ms.date: 09/21/2021
ms.reviewer:
---
# Active Directory Security Groups
**Applies to**
-- Windows Server 2016
+- Windows Server 2016 or later
+- Windows 10 or later
This reference topic for the IT professional describes the default Active Directory security groups.
@@ -1489,7 +1490,7 @@ This security group has not changed since Windows Server 2008.
Users of these sites can use any browser that supports WebAuthn Windows 10 APIs for password-less authentication
- and will have a familiar and consistent experience on Windows 10, no matter which browser they use to get to the RPs site!
+ and will have a familiar and consistent experience on Windows 10, no matter which browser they use to get to the RPs' site!
The native Windows 10 WebAuthn APIs are currently supported by Microsoft Edge on Windows 10 1809 or later
and latest versions of other browsers.
Developers of FIDO2 authentication keys should use the new Windows 10 APIs, to enable these scenarios in a consistent way for users.
- Moreover, this enables the use of all the transports available per FIDO2 specifications - USB, NFC and BLE
+ Moreover, this enables the use of all the transports available per FIDO2 specifications - USB, NFC, and BLE
without having to deal with the interaction and management overhead.
-This also implies browsers or apps on Windows 10 will no longer have direct access to above transports for FIDO related messaging.
+This also implies browsers or apps on Windows 10 will no longer have direct access to above transports for FIDO-related messaging.
#### Where can developers learn more?
The new Windows 10 APIs are documented on [GitHub](https://github.com/Microsoft/webauthn)
\ No newline at end of file
diff --git a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md b/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md
index f80ffec25c..d1e93b59ef 100644
--- a/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md
+++ b/windows/security/identity-protection/hello-for-business/feature-multifactor-unlock.md
@@ -1,6 +1,6 @@
---
title: Multi-factor Unlock
-description: Learn how Windows 10 offers multifactor device unlock by extending Windows Hello with trusted signals.
+description: Learn how Windows 10 and Windows 11 offer multi-factor device unlock by extending Windows Hello with trusted signals.
keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, cert-trust, device, registration, unlock, multi, factor, multifactor, multi-factor
ms.prod: w10
ms.mktglfcycl: deploy
@@ -19,17 +19,19 @@ ms.reviewer:
# Multi-factor Unlock
**Applies to:**
-- Windows 10
+
+- Windows 10
+- Windows 11
**Requirements:**
* Windows Hello for Business deployment (Hybrid or On-premises)
* Azure AD, Hybrid Azure AD, or Domain Joined (Cloud, Hybrid, or On-Premises deployments)
-* Windows 10, version 1709 or newer
+* Windows 10, version 1709 or newer, or Windows 11
* Bluetooth, Bluetooth capable phone - optional
Windows, today, natively only supports the use of a single credential (password, PIN, fingerprint, face, etc.) for unlocking a device. Therefore, if any of those credentials are compromised (shoulder surfed), an attacker could gain access to the system.
-Windows 10 offers Multi-factor device unlock by extending Windows Hello with trusted signals. Administrators can configure Windows 10 to request a combination of factors and trusted signals to unlock their devices.
+Windows 10 and Windows 11 offer multi-factor device unlock by extending Windows Hello with trusted signals. Administrators can configure their Windows to request a combination of factors and trusted signals to unlock their devices.
Which organizations can take advantage of Multi-factor unlock? Those who:
* Have expressed that PINs alone do not meet their security needs.
@@ -92,13 +94,13 @@ You represent signal rules in XML. Each signal rule has an starting and ending
```
### Signal element
-Each rule element has a **signal** element. All signal elements have a **type** element and value. Windows 10, version 1709 supports the **ipConfig** and **bluetooth** type values.
+Each rule element has a **signal** element. All signal elements have a **type** element and value. Windows 10, version 1709 or later supports the **ipConfig** and **bluetooth** type values.
|Attribute|Value|
|---------|-----|
-| type| "bluetooth" or "ipConfig" (Windows 10, version 1709)|
-| type| "wifi" (Windows 10, version 1803)
+| type| "bluetooth" or "ipConfig" (Windows 10, version 1709) or later|
+| type| "wifi" (Windows 10, version 1803 or later)
#### Bluetooth
You define the bluetooth signal with additional attributes in the signal element. The bluetooth configuration does not use any other elements. You can end the signal element with short ending tag "\/>".
@@ -133,7 +135,7 @@ The **classofDevice** attribute defaults to Phone and uses the values from the f
|Health|2304|
|Uncategorized|7936|
-The **rssiMin** attribute value signal indicates the strength needed for the device to be considered "in-range". The default value of **-10** enables a user to move about an average size office or cubicle without triggering Windows to lock the device. The **rssiMaxDelta** has a default value of **-10**, which instruct Windows 10 to lock the device once the signal strength weakens by more than measurement of 10.
+The **rssiMin** attribute value signal indicates the strength needed for the device to be considered "in-range". The default value of **-10** enables a user to move about an average size office or cubicle without triggering Windows to lock the device. The **rssiMaxDelta** has a default value of **-10**, which instruct Windows to lock the device once the signal strength weakens by more than measurement of 10.
RSSI measurements are relative and lower as the bluetooth signals between the two paired devices reduces. Therefore a measurement of 0 is stronger than -10, which is stronger than -60, which is an indicator the devices are moving further apart from each other.
@@ -220,7 +222,7 @@ The fully qualified domain name of your organization's internal DNS suffix where
#### Wi-Fi
**Applies to:**
-- Windows 10, version 1803
+- Windows 10, version 1803 or later
You define Wi-Fi signals using one or more wifi elements. Each element has a string value. Wifi elements do not have attributes or nested elements.
@@ -322,7 +324,7 @@ This example configures the same as example 2 using compounding And elements. T
```
#### Example 4
-This example configures Wi-Fi as a trusted signal (Windows 10, version 1803)
+This example configures Wi-Fi as a trusted signal (Windows 10, version 1803 or later)
```xml
Azure Active Directory joined devices authenticate to Azure during sign-in and can optional authenticate to Active Directory. Hybrid Azure Active Directory joined devices authenticate to Active Directory during sign-in, and authenticate to Azure Active Directory in the background.
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md
index 20008e7565..9e1ddf66b7 100644
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-provisioning.md
@@ -16,9 +16,10 @@ ms.date: 08/19/2018
ms.reviewer:
---
# Windows Hello for Business Provisioning
-
-Applies to:
-- Windows 10
+
+**Applies to:**
+- Windows 10
+- Windows 11
Windows Hello for Business provisioning enables a user to enroll a new, strong, two-factor credential that they can use for passwordless authentication. Provisioning experience vary based on:
- How the device is joined to Azure Active Directory
@@ -48,7 +49,7 @@ Windows Hello for Business provisioning enables a user to enroll a new, strong,
[Return to top](#windows-hello-for-business-provisioning)
## Azure AD joined provisioning in a Federated environment
-
+
| Phase | Description |
| :----: | :----------- |
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
index af9083a431..cae576ab66 100644
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works-technology.md
@@ -19,6 +19,7 @@ ms.reviewer:
**Applies to:**
- Windows 10
+- Windows 11
- [Attestation Identity Keys](#attestation-identity-keys)
- [Azure AD Joined](#azure-ad-joined)
@@ -44,15 +45,15 @@ ms.reviewer:
## Attestation Identity Keys
-Because the endorsement certificate is unique for each device and does not change, the usage of it may present privacy concerns because it's theoretically possible to track a specific device. To avoid this privacy problem, Windows 10 issues a derived attestation anchor based on the endorsement certificate. This intermediate key, which can be attested to an endorsement key, is the Attestation Identity Key (AIK) and the corresponding certificate is called the AIK certificate. This AIK certificate is issued by a Microsoft cloud service.
+Because the endorsement certificate is unique for each device and does not change, the usage of it may present privacy concerns because it's theoretically possible to track a specific device. To avoid this privacy problem, Windows issues a derived attestation anchor based on the endorsement certificate. This intermediate key, which can be attested to an endorsement key, is the Attestation Identity Key (AIK) and the corresponding certificate is called the AIK certificate. This AIK certificate is issued by a Microsoft cloud service.
> [!NOTE]
-> The AIK certificate must be provisioned in conjunction with a third-party service like the Microsoft Cloud CA service. After it is provisioned, the AIK private key can be used to report platform configuration. Windows 10 creates a signature over the platform log state (and a monotonic counter value) at each boot by using the AIK.
+> The AIK certificate must be provisioned in conjunction with a third-party service like the Microsoft Cloud CA service. After it is provisioned, the AIK private key can be used to report platform configuration. Windows creates a signature over the platform log state (and a monotonic counter value) at each boot by using the AIK.
> The AIK is an asymmetric (public/private) key pair that is used as a substitute for the EK as an identity for the TPM for privacy purposes. The private portion of an AIK is never revealed or used outside the TPM and can only be used inside the TPM for a limited set of operations. Furthermore, it can only be used for signing, and only for limited, TPM-defined operations.
-Windows 10 creates AIKs protected by the TPM, if available, that are 2048-bit RSA signing keys. Microsoft hosts a cloud service called Microsoft Cloud CA to establish cryptographically that it is communicating with a real TPM and that the TPM possesses the presented AIK. After the Microsoft Cloud CA service has established these facts, it will issue an AIK certificate to the Windows 10 device.
+Windows creates AIKs protected by the TPM, if available, that are 2048-bit RSA signing keys. Microsoft hosts a cloud service called Microsoft Cloud CA to establish cryptographically that it is communicating with a real TPM and that the TPM possesses the presented AIK. After the Microsoft Cloud CA service has established these facts, it will issue an AIK certificate to the Windows device.
-Many existing devices that will upgrade to Windows 10 will not have a TPM, or the TPM will not contain an endorsement certificate. **To accommodate those devices, Windows 10 allows the issuance of AIK certificates without the presence of an endorsement certificate.** Such AIK certificates are not issued by Microsoft Cloud CA. Note that this is not as trustworthy as an endorsement certificate that is burned into the device during manufacturing, but it will provide compatibility for advanced scenarios like Windows Hello for Business without TPM.
+Many existing devices that will upgrade to Windows 10 will not have a TPM, or the TPM will not contain an endorsement certificate. **To accommodate those devices, Windows 10 or Windows 11 allows the issuance of AIK certificates without the presence of an endorsement certificate.** Such AIK certificates are not issued by Microsoft Cloud CA. Note that this is not as trustworthy as an endorsement certificate that is burned into the device during manufacturing, but it will provide compatibility for advanced scenarios like Windows Hello for Business without TPM.
In the issued AIK certificate, a special OID is added to attest that endorsement certificate was used during the attestation process. This information can be leveraged by a relying party to decide whether to reject devices that are attested using AIK certificates without an endorsement certificate or accept them. Another scenario can be to not allow access to high-value assets from devices that are attested by an AIK certificate that is not backed by an endorsement certificate.
@@ -102,7 +103,7 @@ The Windows Hello for Business Cloud deployment is exclusively for organizations
[Return to Top](hello-how-it-works-technology.md)
## Cloud Experience Host
-In Windows 10, Cloud Experience Host is an application used while joining the workplace environment or Azure AD for rendering the experience when collecting your company-provided credentials. Once you enroll your device to your workplace environment or Azure AD, your organization will be able to manage your PC and collect information about you (including your location). It might add or remove apps or content, change settings, disable features, prevent you from removing your company account, or reset your PC.
+In Windows 10 and Windows 11, Cloud Experience Host is an application used while joining the workplace environment or Azure AD for rendering the experience when collecting your company-provided credentials. Once you enroll your device to your workplace environment or Azure AD, your organization will be able to manage your PC and collect information about you (including your location). It might add or remove apps or content, change settings, disable features, prevent you from removing your company account, or reset your PC.
### Related topics
[Windows Hello for Business](./hello-identity-verification.md), [Managed Windows Hello in Organization](./hello-manage-in-organization.md)
@@ -138,7 +139,7 @@ The endorsement key is often accompanied by one or two digital certificates:
- One certificate is produced by the TPM manufacturer and is called the **endorsement certificate**. The endorsement certificate is used to prove the authenticity of the TPM (for example, that it's a real TPM manufactured by a specific chip maker) to local processes, applications, or cloud services. The endorsement certificate is created during manufacturing or the first time the TPM is initialized by communicating with an online service.
- The other certificate is produced by the platform builder and is called the **platform certificate** to indicate that a specific TPM is integrated with a certain device.
-For certain devices that use firmware-based TPM produced by Intel or Qualcomm, the endorsement certificate is created when the TPM is initialized during the OOBE of Windows 10.
+For certain devices that use firmware-based TPM produced by Intel or Qualcomm, the endorsement certificate is created when the TPM is initialized during the OOBE of Windows 10 and Windows 11.
### Related topics
[Attestation Identity Keys](#attestation-identity-keys), [Storage Root Key](#storage-root-key), [Trusted Platform Module](#trusted-platform-module)
@@ -279,15 +280,15 @@ The trust type determines how a user authenticates to the Active Directory to ac
A Trusted Platform Module (TPM) is a hardware component that provides unique security features.
-Windows 10 leverages security characteristics of a TPM for measuring boot integrity sequence (and based on that, unlocking automatically BitLocker protected drives), for protecting credentials or for health attestation.
+Windows leverages security characteristics of a TPM for measuring boot integrity sequence (and based on that, unlocking automatically BitLocker protected drives), for protecting credentials or for health attestation.
A TPM implements controls that meet the specification described by the Trusted Computing Group (TCG). At the time of this writing, there are two versions of TPM specification produced by TCG that are not compatible with each other:
- The first TPM specification, version 1.2, was published in February 2005 by the TCG and standardized under ISO / IEC 11889 standard.
- The latest TPM specification, referred to as TPM 2.0, was released in April 2014 and has been approved by the ISO/IEC Joint Technical Committee (JTC) as ISO/IEC 11889:2015.
-Windows 10 uses the TPM for cryptographic calculations as part of health attestation and to protect the keys for BitLocker, Windows Hello, virtual smart cards, and other public key certificates. For more information, see [TPM requirements in Windows 10](../../information-protection/tpm/tpm-recommendations.md).
+Windows 10 and Windows 11 use the TPM for cryptographic calculations as part of health attestation and to protect the keys for BitLocker, Windows Hello, virtual smart cards, and other public key certificates. For more information, see [TPM requirements in Windows](../../information-protection/tpm/tpm-recommendations.md).
-Windows 10 recognizes versions 1.2 and 2.0 TPM specifications produced by the TCG. For the most recent and modern security features, Windows 10 supports only TPM 2.0.
+Windows recognizes versions 1.2 and 2.0 TPM specifications produced by the TCG. For the most recent and modern security features, Windows 10 and Windows 11 support only TPM 2.0.
TPM 2.0 provides a major revision to the capabilities over TPM 1.2:
diff --git a/windows/security/identity-protection/hello-for-business/hello-how-it-works.md b/windows/security/identity-protection/hello-for-business/hello-how-it-works.md
index 609a2a0954..657611e55f 100644
--- a/windows/security/identity-protection/hello-for-business/hello-how-it-works.md
+++ b/windows/security/identity-protection/hello-for-business/hello-how-it-works.md
@@ -15,11 +15,12 @@ localizationpriority: medium
ms.date: 05/05/2018
ms.reviewer:
---
-# How Windows Hello for Business works
+# How Windows Hello for Business works in Windows Devices
**Applies to**
- Windows 10
+- Windows 11
Windows Hello for Business is a modern, two-factor credential that is the more secure alternative to passwords. Whether you are cloud or on-premises, Windows Hello for Business has a deployment option for you. For cloud deployments, you can use Windows Hello for Business with Azure Active Directory joined, Hybrid Azure Active Directory joined, or Azure Active Directory registered devices. Windows Hello for Business also works for domain joined devices.
@@ -34,7 +35,7 @@ Windows Hello for Business is a distributed system that uses several components
Registration is a fundamental prerequisite for Windows Hello for Business. Without registration, Windows Hello for Business provisioning cannot start. Registration is where the device **registers** its identity with the identity provider. For cloud and hybrid deployments, the identity provider is Azure Active Directory and the device registers with the Azure Device Registration Service (ADRS). For on-premises deployments, the identity provider is Active Directory Federation Services (AD FS), and the device registers with the enterprise device registration service hosted on the federation servers (AD FS).
-For more information read [how device registration works](/azure/active-directory/devices/device-registration-how-it-works).
+For more information, read [how device registration works](/azure/active-directory/devices/device-registration-how-it-works).
### Provisioning
@@ -44,11 +45,11 @@ Watch Matthew Palko and Ravi Vennapusa explain how Windows Hello for Business pr
> [!VIDEO https://www.youtube.com/embed/RImGsIjSJ1s]
-For more information read [how provisioning works](hello-how-it-works-provisioning.md).
+For more information, read [how provisioning works](hello-how-it-works-provisioning.md).
### Authentication
-With the device registered and provisioning complete, users can sign-in to Windows 10 using biometrics or a PIN. PIN is the most common gesture and is available on all computers unless restricted by policy requiring a TPM. Regardless of the gesture used, authentication occurs using the private portion of the Windows Hello for Business credential. Neither the PIN nor the private portion of the credential are ever sent to the identity provider, and the PIN is not stored on the device. It is user provided entropy when performing operations that use the private portion of the credential.
+With the device registered and provisioning complete, users can sign-in to Windows using biometrics or a PIN. PIN is the most common gesture and is available on all computers unless restricted by policy requiring a TPM. Regardless of the gesture used, authentication occurs using the private portion of the Windows Hello for Business credential. Neither the PIN nor the private portion of the credential are ever sent to the identity provider, and the PIN is not stored on the device. It is user provided entropy when performing operations that use the private portion of the credential.
Watch Matthew Palko and Ravi Vennapusa explain how Windows Hello for Business authentication works.
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md
index 13246cec6f..eeb8ee8626 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-base.md
@@ -21,6 +21,7 @@ ms.reviewer:
**Applies to**
- Windows 10
+- Windows 11
- Azure Active Directory joined
- Hybrid Deployment
- Key trust model
@@ -50,7 +51,7 @@ You can use the **dsregcmd.exe** command to determine if your device is register
### CRL Distribution Point (CDP)
-Certificates issued by a certificate authority can be revoked. When a certificate authority revokes as certificate, it writes information about the certificate into a revocation list. During certificate validation, Windows 10 consults the CRL distribution point within the certificate to get a list of revoked certificates. Validation compares the current certificate with information in the certificate revocation list to determine if the certificate remains valid.
+Certificates issued by a certificate authority can be revoked. When a certificate authority revokes as certificate, it writes information about the certificate into a revocation list. During certificate validation, Windows consults the CRL distribution point within the certificate to get a list of revoked certificates. Validation compares the current certificate with information in the certificate revocation list to determine if the certificate remains valid.
@@ -75,7 +76,7 @@ Certificate authorities write CRL distribution points in certificates as they ar
#### Why does Windows need to validate the domain controller certificate?
-Windows Hello for Business enforces the strict KDC validation security feature when authenticating from an Azure AD joined device to a domain. This enforcement imposes more restrictive criteria that must be met by the Key Distribution Center (KDC). When authenticating using Windows Hello for Business on an Azure AD joined device, the Windows 10 client validates the reply from the domain controller by ensuring all of the following are met:
+Windows Hello for Business enforces the strict KDC validation security feature when authenticating from an Azure AD joined device to a domain. This enforcement imposes more restrictive criteria that must be met by the Key Distribution Center (KDC). When authenticating using Windows Hello for Business on an Azure AD joined device, the Windows client validates the reply from the domain controller by ensuring all of the following are met:
- The domain controller has the private key for the certificate provided.
- The root CA that issued the domain controller's certificate is in the device's **Trusted Root Certificate Authorities**.
@@ -212,7 +213,7 @@ The web server is ready to host the CRL distribution point. Now, configure the
4. On the **Extensions** tab, click **Add**. Type the computer and share name you create for your CRL distribution point in [Configure the CDP file share](#configure-the-cdp-file-share). For example, **\\\app\cdp$\\** (do not forget the trailing backwards slash).
5. Select **\
8. Select **Publish CRLs to this location**.
9. Select **Publish Delta CRLs to this location**.
@@ -261,7 +262,6 @@ With the CA properly configured with a valid HTTP-based CRL distribution point,
5. Review the information below the list of fields to confirm the new URL for the CRL distribution point is present in the certificate. Click **OK**.
-
## Configure and Assign a Trusted Certificate Device Configuration Profile
Your domain controllers have new certificate that include the new CRL distribution point. Next, you need your enterprise root certificate so you can deploy it to Azure AD joined devices. Deploying the enterprise root certificates to the device, ensures the device trusts any certificates issued by the certificate authority. Without the certificate, Azure AD joined devices do not trust domain controller certificates and authentication fails.
@@ -281,7 +281,7 @@ Steps you will perform include:
6. In the **Certificate Export Wizard**, click **Next**.
7. On the **Export File Format** page of the wizard, click **Next**.
-8. On the **File to Export** page in the wizard, type the name and location of the root certificate and click **Next**. Click **Finish** and then click **OK** to close the success dialog box.
+8. On the **File to Export** page in the wizard, type the name and location of the root certificate and click **Next**. Click **Finish** and then click **OK** to close the success dialog box.
9. Click **OK** two times to return to the **Certificate Manager** for the local computer. Close the **Certificate Manager**.
@@ -315,7 +315,7 @@ Sign-in a workstation with access equivalent to a _domain user_.
7. Select **Required** next to **Use a Trusted Platform Module (TPM)**. By default, Windows Hello for Business prefers TPM 2.0 or falls backs to software. Choosing **Required** forces Windows Hello for Business to only use TPM 2.0 or TPM 1.2 and does not allow fall back to software-based keys.
8. Enter the desired **Minimum PIN length** and **Maximum PIN length**.
> [!IMPORTANT]
- > The default minimum PIN length for Windows Hello for Business on Windows 10 is six. Microsoft Intune defaults the minimum PIN length to four, which reduces the security of the user's PIN. If you do not have a desired PIN length, set the minimum PIN length to six.
+ > The default minimum PIN length for Windows Hello for Business on Windows 10 and Windows 11 is six. Microsoft Intune defaults the minimum PIN length to four, which reduces the security of the user's PIN. If you do not have a desired PIN length, set the minimum PIN length to six.
9. Select the appropriate configuration for the following settings:
* **Lowercase letters in PIN**
@@ -325,7 +325,7 @@ Sign-in a workstation with access equivalent to a _domain user_.
* **Remember PIN history**
> [!NOTE]
- > The Windows Hello for Business PIN is not a symmetric key (a password). A copy of the current PIN is not stored locally or on a server like in the case of passwords. Making the PIN as complex and changed frequently as a password increases the likelihood of forgotten PINs. Additionally, enabling PIN history is the only scenario that requires Windows 10 to store older PIN combinations (protected to the current PIN). Windows Hello for Business combined with a TPM provides anti-hammering functionality that prevents brute force attacks of the user's PIN. If you are concerned with user-to-user shoulder surfacing, rather that forcing complex PIN that change frequently, consider using the [Multifactor Unlock](feature-multifactor-unlock.md) feature.
+ > The Windows Hello for Business PIN is not a symmetric key (a password). A copy of the current PIN is not stored locally or on a server like in the case of passwords. Making the PIN as complex and changed frequently as a password increases the likelihood of forgotten PINs. Additionally, enabling PIN history is the only scenario that requires Windows to store older PIN combinations (protected to the current PIN). Windows Hello for Business combined with a TPM provides anti-hammering functionality that prevents brute force attacks of the user's PIN. If you are concerned with user-to-user shoulder surfacing, rather that forcing complex PIN that change frequently, consider using the [Multifactor Unlock](feature-multifactor-unlock.md) feature.
10. Select **Yes** next to **Allow biometric authentication** if you want to allow users to use biometrics (fingerprint and/or facial recognition) to unlock the device. To further secure the use of biometrics, select **Yes** to **Use enhanced anti-spoofing, when available**.
11. Select **No** to **Allow phone sign-in**. This feature has been deprecated.
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
index e4ada9da90..fba0adf89f 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-aadj-sso-cert.md
@@ -20,7 +20,9 @@ ms.reviewer:
# Using Certificates for AADJ On-premises Single-sign On
**Applies to:**
+
- Windows 10
+- Windows 11
- Azure Active Directory joined
- Hybrid Deployment
- Certificate trust
@@ -31,6 +33,7 @@ If you plan to use certificates for on-premises single-sign on, then follow thes
> Ensure you have performed the configurations in [Azure AD joined devices for On-premises Single-Sign On](hello-hybrid-aadj-sso-base.md) before you continue.
Steps you will perform include:
+
- [Prepare Azure AD Connect](#prepare-azure-ad-connect)
- [Prepare the Network Device Enrollment Services Service Account](#prepare-the-network-device-enrollment-services-ndes-service-account)
- [Prepare Active Directory Certificate Services](#prepare-active-directory-certificate-authority)
@@ -40,12 +43,14 @@ Steps you will perform include:
- [Create and Assign a Simple Certificate Enrollment Protocol (SCEP) Certificate Profile](#create-and-assign-a-simple-certificate-enrollment-protocol-scep-certificate-profile)
## Requirements
+
You need to install and configure additional infrastructure to provide Azure AD joined devices with on-premises single-sign on.
- An existing Windows Server 2012 R2 or later Enterprise Certificate Authority
- A Windows Server 2012 R2 domain joined server that hosts the Network Device Enrollment Services role
-### High Availaibilty
+### High Availability
+
The Network Device Enrollment Services (NDES) server role acts as a certificate registration authority. Certificate registration servers enroll certificates on behalf of the user. Users request certificates from the NDES service rather than directly from the issuing certificate authority.
The architecture of the NDES server prevents it from being clustered or load balanced for high availability. To provide high availability, you need to install more than one identically configured NDES servers and use Microsoft Intune to load balance then (in round-robin fashion).
@@ -59,9 +64,11 @@ The Network Device Enrollment Service (NDES) server role can issue up to three u
If you need to deploy more than three types of certificates to the Azure AD joined device, you need additional NDES servers. Alternatively, consider consolidating certificate templates to reduce the number of certificate templates.
### Network Requirements
+
All communication occurs securely over port 443.
## Prepare Azure AD Connect
+
Successful authentication to on-premises resources using a certificate requires the certificate to provide a hint about the on-premises domain. The hint can be the user's Active Directory distinguished name as the subject of the certificate, or the hint can be the user's user principal name where the suffix matches the Active Directory domain name.
Most environments change the user principal name suffix to match the organization's external domain name (or vanity domain), which prevents the user principal name as a hint to locate a domain controller. Therefore, the certificate needs the user's on-premises distinguished name in the subject to properly locate a domain controller.
@@ -69,100 +76,142 @@ Most environments change the user principal name suffix to match the organizatio
To include the on-premises distinguished name in the certificate's subject, Azure AD Connect must replicate the Active Directory **distinguishedName** attribute to the Azure Active Directory **onPremisesDistinguishedName** attribute. Azure AD Connect version 1.1.819 includes the proper synchronization rules needed for these attributes.
### Verify AAD Connect version
+
Sign-in to computer running Azure AD Connect with access equivalent to _local administrator_.
1. Open **Synchronization Services** from the **Azure AD Connect** folder.
+
2. In the **Synchronization Service Manager**, click **Help** and then click **About**.
+
3. If the version number is not **1.1.819** or later, then upgrade Azure AD Connect to the latest version.
### Verify the onPremisesDistinguishedName attribute is synchronized
+
The easiest way to verify the onPremisesDistingushedNamne attribute is synchronized is to use Azure AD Graph Explorer.
1. Open a web browser and navigate to https://graphexplorer.azurewebsites.net/
+
2. Click **Login** and provide Azure credentials
+
3. In the Azure AD Graph Explorer URL, type https://graph.windows.net/myorganization/users/[userid], where **[userid]** is the user principal name of user in Azure Active Directory. Click **Go**
+
4. In the returned results, review the JSON data for the **onPremisesDistinguishedName** attribute. Ensure the attribute has a value and the value is accurate for the given user.
+
## Prepare the Network Device Enrollment Services (NDES) Service Account
### Create the NDES Servers global security group
+
The deployment uses the **NDES Servers** security group to assign the NDES service the proper user right assignments.
Sign-in to a domain controller or management workstation with access equivalent to _domain administrator_.
1. Open **Active Directory Users and Computers**.
+
2. Expand the domain node from the navigation pane.
+
3. Right-click the **Users** container. Hover over **New** and click **Group**.
+
4. Type **NDES Servers** in the **Group Name** text box.
+
5. Click **OK**.
### Add the NDES server to the NDES Servers global security group
+
Sign-in to a domain controller or management workstation with access equivalent to _domain administrator_.
1. Open **Active Directory Users and Computers**.
+
2. Expand the domain node from the navigation pane.
-3. Click **Computers** from the navigation pane. Right-click the name of the NDES server that will host the NDES server role. Click **Add to a group...**.
+
+3. Click **Computers** from the navigation pane. Right-click the name of the NDES server that will host the NDES server role. Click **Add to a group**.
+
4. Type **NDES Servers** in **Enter the object names to select**. Click **OK**. Click **OK** on the **Active Directory Domain Services** success dialog.
> [!NOTE]
> For high-availability, you should have more than one NDES server to service Windows Hello for Business certificate requests. You should add additional Windows Hello for Business NDES servers to this group to ensure they receive the proper configuration.
### Create the NDES Service Account
+
The Network Device Enrollment Services (NDES) role runs under a service account. Typically, it is preferential to run services using a Group Managed Service Account (GMSA). While the NDES role can be configured to run using a GMSA, the Intune Certificate Connector was not designed nor tested using a GMSA and is considered an unsupported configuration. The deployment uses a normal services account.
Sign-in to a domain controller or management workstation with access equivalent to _domain administrator_.
1. In the navigation pane, expand the node that has your domain name. Select **Users**.
+
2. Right-click the **Users** container. Hover over **New** and then select **User**. Type **NDESSvc** in **Full Name** and **User logon name**. Click **Next**.
+
3. Type a secure password in **Password**. Confirm the secure password in **Confirm Password**. Clear **User must change password at next logon**. Click **Next**.
+
4. Click **Finish**.
> [!IMPORTANT]
> Configuring the service's account password to **Password never expires** may be more convenient, but it presents a security risk. Normal service account passwords should expire in accordance with the organizations user password expiration policy. Create a reminder to change the service account's password two weeks before it will expire. Share the reminder with others that are allowed to change the password to ensure the password is changed before it expires.
### Create the NDES Service User Rights Group Policy object
+
The Group Policy object ensures the NDES Service account has the proper user right to assign all the NDES servers in the **NDES Servers** group. As you add new NDES servers to your environment and this group, the service account automatically receives the proper user rights through the Group Policy.
Sign-in a domain controller or management workstations with _Domain Admin_ equivalent credentials.
1. Start the **Group Policy Management Console** (gpmc.msc)
+
2. Expand the domain and select the **Group Policy Object** node in the navigation pane.
+
3. Right-click **Group Policy object** and select **New**.
+
4. Type **NDES Service Rights** in the name box and click **OK**.
+
5. In the content pane, right-click the **NDES Service Rights** Group Policy object and click **Edit**.
+
6. In the navigation pane, expand **Policies** under **Computer Configuration**.
+
7. Expand **Windows Settings > Security Settings > Local Policies**. Select **User Rights Assignments**.
+
8. In the content pane, double-click **Allow log on locally**. Select **Define these policy settings** and click **OK**. Click **Add User or Group...**. In the **Add User or Group** dialog box, click **Browse**. In the **Select Users, Computers, Service Accounts, or Groups** dialog box, type **Administrators;Backup Operators;DOMAINNAME\NDESSvc;Users** where **DOMAINNAME** is the NetBios name of the domain (Example CONTOSO\NDESSvc) in **User and group names**. Click **OK** twice.
+
9. In the content pane, double-click **Log on as a batch job**. Select **Define these policy settings** and click **OK**. Click **Add User or Group...**. In the **Add User or Group** dialog box, click **Browse**. In the **Select Users, Computers, Service Accounts, or Groups** dialog box, type **Administrators;Backup Operators;DOMAINNAME\NDESSvc;Performance Log Users** where **DOMAINNAME** is the NetBios name of the domain (Example CONTOSO\NDESSvc) in **User and group names**. Click **OK** twice.
+
10. In the content pane, double-click **Log on as a service**. Select **Define these policy settings** and click **OK**. Click **Add User or Group...**. In the **Add User or Group** dialog box, click **Browse**. In the **Select Users, Computers, Service Accounts, or Groups** dialog box, type **NT SERVICE\ALL SERVICES;DOMAINNAME\NDESSvc** where **DOMAINNAME** is the NetBios name of the domain (Example CONTOSO\NDESSvc) in **User and group names**. Click **OK** three times.
+
11. Close the **Group Policy Management Editor**.
### Configure security for the NDES Service User Rights Group Policy object
+
The best way to deploy the **NDES Service User Rights** Group Policy object is to use security group filtering. This enables you to easily manage the computers that receive the Group Policy settings by adding them to a group.
Sign-in to a domain controller or management workstation with access equivalent to _domain administrator_.
1. Start the **Group Policy Management Console** (gpmc.msc)
+
2. Expand the domain and select the **Group Policy Object** node in the navigation pane.
+
3. Double-click the **NDES Service User Rights** Group Policy object.
+
4. In the **Security Filtering** section of the content pane, click **Add**. Type **NDES Servers** or the name of the security group you previously created and click **OK**.
+
5. Click the **Delegation** tab. Select **Authenticated Users** and click **Advanced**.
+
6. In the **Group or User names** list, select **Authenticated Users**. In the **Permissions for Authenticated Users** list, clear the **Allow** check box for the **Apply Group Policy** permission. Click **OK**.
### Deploy the NDES Service User Rights Group Policy object
+
The application of the **NDES Service User Rights** Group Policy object uses security group filtering. This enables you to link the Group Policy object at the domain, ensuring the Group Policy object is within scope to all computers. However, the security group filtering ensures only computers included in the **NDES Servers** global security group receive and apply the Group Policy object, which results in providing the **NDESSvc** service account with the proper user rights.
Sign-in to a domain controller or management workstation with access equivalent to _domain administrator_.
1. Start the **Group Policy Management Console** (gpmc.msc)
+
2. In the navigation pane, expand the domain and right-click the node that has your Active Directory domain name and click **Link an existing GPO**
+
3. In the **Select GPO** dialog box, select **NDES Service User Rights** or the name of the Group Policy object you previously created and click **OK**.
> [!IMPORTANT]
> Linking the **NDES Service User Rights** Group Policy object to the domain ensures the Group Policy object is in scope for all computers. However, not all computers will have the policy settings applied to them. Only computers that are members of the **NDES Servers** global security group receive the policy settings. All others computers ignore the Group Policy object.
## Prepare Active Directory Certificate Authority
+
You must prepare the public key infrastructure and the issuing certificate authority to support issuing certificates using Microsoft Intune and the Network Devices Enrollment Services (NDES) server role. In this task, you will
- Configure the certificate authority to let Intune provide validity periods
@@ -171,6 +220,7 @@ You must prepare the public key infrastructure and the issuing certificate autho
- Publish certificate templates
### Configure the certificate authority to let Intune provide validity periods
+
When deploying certificates using Microsoft Intune, you have the option of providing the validity period in the SCEP certificate profile rather than relying on the validity period in the certificate template. If you need to issue the same certificate with different validity periods, it may be advantageous to use the SCEP profile, given the limited number of certificates a single NDES server can issue.
> [!NOTE]
@@ -179,54 +229,77 @@ When deploying certificates using Microsoft Intune, you have the option of provi
Sign-in to the issuing certificate authority with access equivalent to _local administrator_.
1. Open an elevated command prompt and type the following command:
- ```
+
+ ```console
certutil -setreg Policy\EditFlags +EDITF_ATTRIBUTEENDDATE
```
-2. Restart the **Active Directory Certificate Services** service.
+
+1. Restart the **Active Directory Certificate Services** service.
### Create an NDES-Intune authentication certificate template
+
NDES uses a server authentication certificate to authenticate the server endpoint, which encrypts the communication between it and the connecting client. The Intune Certificate Connector uses a client authentication certificate template to authenticate to the certificate registration point.
Sign-in to the issuing certificate authority or management workstations with _Domain Admin_ equivalent credentials.
1. Open the **Certificate Authority** management console.
+
2. Right-click **Certificate Templates** and click **Manage**.
+
3. In the **Certificate Template Console**, right-click the **Computer** template in the details pane and click **Duplicate Template**.
+
4. On the **General** tab, type **NDES-Intune Authentication** in **Template display name**. Adjust the validity and renewal period to meet your enterprise's needs.
> [!NOTE]
> If you use different template names, you'll need to remember and substitute these names in different portions of the lab.
5. On the **Subject** tab, select **Supply in the request**.
+
6. On the **Cryptography** tab, validate the **Minimum key size** is **2048**.
+
7. On the **Security** tab, click **Add**.
+
8. Type **NDES server** in the **Enter the object names to select** text box and click **OK**.
+
9. Select **NDES server** from the **Group or users names** list. In the **Permissions for** section, select the **Allow** check box for the **Enroll** permission. Clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other items in the **Group or users names** list if the check boxes are not already cleared. Click **OK**.
+
10. Click on the **Apply** to save changes and close the console.
### Create an Azure AD joined Windows Hello for Business authentication certificate template
-During Windows Hello for Business provisioning, Windows 10 requests an authentication certificate from Microsoft Intune, which requests the authentication certificate on behalf of the user. This task configures the Windows Hello for Business authentication certificate template. You use the name of the certificate template when configuring the NDES Server.
+
+During Windows Hello for Business provisioning, Windows requests an authentication certificate from Microsoft Intune, which requests the authentication certificate on behalf of the user. This task configures the Windows Hello for Business authentication certificate template. You use the name of the certificate template when configuring the NDES Server.
Sign in a certificate authority or management workstations with _Domain Admin equivalent_ credentials.
1. Open the **Certificate Authority** management console.
+
2. Right-click **Certificate Templates** and click **Manage**.
+
3. Right-click the **Smartcard Logon** template and choose **Duplicate Template**.
+
4. On the **Compatibility** tab, clear the **Show resulting changes** check box. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Authority** list. Select **Windows Server 2012** or **Windows Server 2012 R2** from the **Certification Recipient** list.
+
5. On the **General** tab, type **AADJ WHFB Authentication** in **Template display name**. Adjust the validity and renewal period to meet your enterprise's needs.
> [!NOTE]
> If you use different template names, you'll need to remember and substitute these names in different portions of the deployment.
6. On the **Cryptography** tab, select **Key Storage Provider** from the **Provider Category** list. Select **RSA** from the **Algorithm name** list. Type **2048** in the **Minimum key size** text box. Select **SHA256** from the **Request hash** list.
+
7. On the **Extensions** tab, verify the **Application Policies** extension includes **Smart Card Logon**.
+
8. On the **Subject** tab, select **Supply in the request**.
+
9. On the **Request Handling** tab, select **Signature and encryption** from the **Purpose** list. Select the **Renew with same key** check box. Select **Enroll subject without requiring any user input**.
+
10. On the **Security** tab, click **Add**. Type **NDESSvc** in the **Enter the object names to select** text box and click **OK**.
-12. Select **NDESSvc** from the **Group or users names** list. In the **Permissions for NDES Servers** section, select the **Allow** check box for **Read** and **Enroll**. Clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other entries in the **Group or users names** section if the check boxes are not already cleared. Click **OK**.
-13. Close the console.
+
+11. Select **NDESSvc** from the **Group or users names** list. In the **Permissions for NDES Servers** section, select the **Allow** check box for **Read** and **Enroll**. Clear the **Allow** check box for the **Enroll** and **Autoenroll** permissions for all other entries in the **Group or users names** section if the check boxes are not already cleared. Click **OK**.
+
+12. Close the console.
### Publish certificate templates
+
The certificate authority may only issue certificates for certificate templates that are published to that certificate authority. If you have more than one certificate authority and you want that certificate authority to issue certificates based on a specific certificate template, then you must publish the certificate template to all certificate authorities that are expected to issue the certificate.
> [!Important]
@@ -235,73 +308,109 @@ The certificate authority may only issue certificates for certificate templates
Sign-in to the certificate authority or management workstations with an _Enterprise Admin_ equivalent credentials.
1. Open the **Certificate Authority** management console.
+
2. Expand the parent node from the navigation pane.
+
3. Click **Certificate Templates** in the navigation pane.
+
4. Right-click the **Certificate Templates** node. Click **New**, and click **Certificate Template** to issue.
+
5. In the **Enable Certificates Templates** window, select the **NDES-Intune Authentication** and **AADJ WHFB Authentication** templates you created in the previous steps. Click **OK** to publish the selected certificate templates to the certificate authority.
+
6. Close the console.
## Install and Configure the NDES Role
+
This section includes the following topics:
-* Install the Network Device Enrollment Service Role
-* Configure the NDES service account
-* Configure the NDES role and Certificate Templates
-* Create a Web Application Proxy for the Internal NDES URL.
-* Enroll for an NDES-Intune Authentication Certificate
-* Configure the Web Server Certificate for NDES
-* Verify the configuration
+
+- Install the Network Device Enrollment Service Role
+- Configure the NDES service account
+- Configure the NDES role and Certificate Templates
+- Create a Web Application Proxy for the Internal NDES URL.
+- Enroll for an NDES-Intune Authentication Certificate
+- Configure the Web Server Certificate for NDES
+- Verify the configuration
### Install the Network Device Enrollment Services Role
+
Install the Network Device Enrollment Service role on a computer other than the issuing certificate authority.
Sign-in to the certificate authority or management workstations with an _Enterprise Admin_ equivalent credentials.
1. Open **Server Manager** on the NDES server.
+
2. Click **Manage**. Click **Add Roles and Features**.
+
3. In the **Add Roles and Features Wizard**, on the **Before you begin** page, click **Next**. Select **Role-based or feature-based installation** on the **Select installation type** page. Click **Next**. Click **Select a server from the server pool**. Select the local server from the **Server Pool** list. Click **Next**.
+
+
4. On the **Select server roles** page, select **Active Directory Certificate Services** from the **Roles** list.
+
+
Click **Add Features** on the **Add Roles and Feature Wizard** dialog box. Click **Next**.
- 
+
+ 
+
5. On the **Features** page, expand **.NET Framework 3.5 Features**. Select **HTTP Activation**. Click **Add Features** on the **Add Roles and Feature Wizard** dialog box. Expand **.NET Framework 4.5 Features**. Expand **WCF Services**. Select **HTTP Activation**. Click **Add Features** on the **Add Roles and Feature Wizard** dialog box. Click **Next**.
+
+
6. On the **Select role services** page, clear the **Certificate Authority** check box. Select the **Network Device Enrollment Service**. Click **Add Features** on the **Add Roles and Features Wizard** dialog box. Click **Next**.
+
+
7. Click **Next** on the **Web Server Role (IIS)** page.
+
8. On the **Select role services** page for the Web Serve role, Select the following additional services if they are not already selected and then click **Next**.
- * **Web Server > Security > Request Filtering**
- * **Web Server > Application Development > ASP.NET 3.5**.
- * **Web Server > Application Development > ASP.NET 4.5**. .
- * **Management Tools > IIS 6 Management Compatibility > IIS 6 Metabase Compatibility**
- * **Management Tools > IIS 6 Management Compatibility > IIS 6 WMI Compatibility**
+
+ - **Web Server > Security > Request Filtering**
+ - **Web Server > Application Development > ASP.NET 3.5**.
+ - **Web Server > Application Development > ASP.NET 4.5**. .
+ - **Management Tools > IIS 6 Management Compatibility > IIS 6 Metabase Compatibility**
+ - **Management Tools > IIS 6 Management Compatibility > IIS 6 WMI Compatibility**
+
+
9. Click **Install**. When the installation completes, continue with the next procedure. **Do not click Close**.
+
> [!IMPORTANT]
> .NET Framework 3.5 is not included in the typical installation. If the server is connected to the Internet, the installation attempts to get the files using Windows Update. If the server is not connected to the Internet, you need to **Specify an alternate source path** such as \
4. Once this is done, you will see a successful completion message.
-
+ 
### Create Service Connection Point (SCP) in Active Directory
-If you plan to use Windows 10 domain join (with automatic registration to Azure AD) as described here, execute the following commands to create a service connection point in AD DS
-1. Open Windows PowerShell and execute the following:
+If you plan to use Windows domain join (with automatic registration to Azure AD) as described here, execute the following commands to create a service connection point in AD DS
+
+1. Open Windows PowerShell and execute the following:
`PS C:>Import-Module -Name "C:\Program Files\Microsoft Azure Active Directory Connect\AdPrep\AdSyncPrep.psm1"`
-> [!NOTE]
-> If necessary, copy the AdSyncPrep.psm1 file from your Azure AD Connect server. This file is located in Program Files\Microsoft Azure Active Directory Connect\AdPrep
-
-
+ > [!NOTE]
+ > If necessary, copy the AdSyncPrep.psm1 file from your Azure AD Connect server. This file is located in Program Files\Microsoft Azure Active Directory Connect\AdPrep
+ 
2. Provide your Azure AD global administrator credentials
- `PS C:>$aadAdminCred = Get-Credential`
-
-
+ `PS C:>$aadAdminCred = Get-Credential`
+ 
3. Run the following PowerShell command
`PS C:>Initialize-ADSyncDomainJoinedComputerSync -AdConnectorAccount [AD connector account name] -AzureADCredentials $aadAdminCred`
-Where the [AD connector account name] is the name of the account you configured in Azure AD Connect when adding your on-premises AD DS directory.
+ Where the [AD connector account name] is the name of the account you configured in Azure AD Connect when adding your on-premises AD DS directory.
-The above commands enable Windows 10 clients to find the correct Azure AD domain to join by creating the serviceConnectionpoint object in AD DS.
+The above commands enable Windows clients to find the correct Azure AD domain to join by creating the serviceConnectionpoint object in AD DS.
### Prepare AD for Device Write Back
To ensure AD DS objects and containers are in the correct state for write back of devices from Azure AD, do the following.
-1. Open Windows PowerShell and execute the following:
+1. Open Windows PowerShell and execute the following:
`PS C:>Initialize-ADSyncDeviceWriteBack -DomainName
## Follow the Windows Hello for Business hybrid certificate trust deployment guide
+
1. [Overview](hello-hybrid-cert-trust.md)
2. [Prerequisites](hello-hybrid-cert-trust-prereqs.md)
3. [New Installation Baseline](hello-hybrid-cert-new-install.md)
4. Configure Azure Device Registration (*You are here*)
5. [Configure Windows Hello for Business settings](hello-hybrid-cert-whfb-settings.md)
-6. [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md)
\ No newline at end of file
+6. [Sign-in and Provision](hello-hybrid-cert-whfb-provision.md)
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md
index 28ff8d49c6..228747d35b 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust-prereqs.md
@@ -20,6 +20,7 @@ ms.reviewer:
**Applies to**
- Windows 10, version 1703 or later
+- Windows 11
- Hybrid deployment
- Certificate trust
@@ -56,7 +57,7 @@ Review these requirements and those from the Windows Hello for Business planning
## Public Key Infrastructure ##
-The Windows Hello for Business deployment depends on an enterprise public key infrastructure as trust anchor for authentication. Domain controllers for hybrid deployments need a certificate in order for Windows 10 devices to trust the domain controller.
+The Windows Hello for Business deployment depends on an enterprise public key infrastructure as trust anchor for authentication. Domain controllers for hybrid deployments need a certificate in order for Windows devices to trust the domain controller.
Certificate trust deployments need an enterprise public key infrastructure and a certificate registration authority to issue authentication certificates to users. When using Group Policy, hybrid certificate trust deployment uses the Windows Server 2016 Active Directory Federation Server (AD FS) as a certificate registration authority.
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md
index 4de8c1ff50..9cd1d4350b 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-trust.md
@@ -20,6 +20,7 @@ ms.reviewer:
**Applies to**
- Windows 10, version 1703 or later
+- Windows 11
- Hybrid deployment
- Certificate trust
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md
index 35bd16ed3e..e7082740c2 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-provision.md
@@ -1,6 +1,6 @@
---
title: Hybrid Azure AD joined Windows Hello for Business Certificate Trust Provisioning (Windows Hello for Business)
-description: In this article, learn about provisioning for hybrid certificate trust deployments of Windows Hello for Businesss.
+description: In this article, learn about provisioning for hybrid certificate trust deployments of Windows Hello for Business.
keywords: identity, PIN, biometric, Hello, passport, WHFB, hybrid, certificate-trust
ms.prod: w10
ms.mktglfcycl: deploy
@@ -20,6 +20,7 @@ ms.reviewer:
**Applies to**
- Windows 10, version 1703 or later
+- Windows 11
- Hybrid deployment
- Certificate trust
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md
index eeb5ed60a9..2a261013b9 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-ad.md
@@ -20,6 +20,7 @@ ms.reviewer:
**Applies to**
- Windows 10, version 1703 or later
+- Windows 11
- Hybrid deployment
- Certificate trust
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md
index 880a1fa1cc..398d31c3d6 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-adfs.md
@@ -21,6 +21,7 @@ ms.reviewer:
**Applies to**
- Windows 10, version 1703 or later
+- Windows 11
- Hybrid deployment
- Certificate trust
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md
index b835c4fad1..c48e5ae621 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-dir-sync.md
@@ -17,10 +17,11 @@ ms.date: 4/30/2021
ms.reviewer:
---
-# Configure Hybrid Azure AD joined Windows Hello for Business: Directory Synchronization
+# Configure Hybrid Azure AD joined Windows Hello for Business- Directory Synchronization
**Applies to**
- Windows 10, version 1703 or later
+- Windows 11
- Hybrid deployment
- Certificate Trust
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md
index 98cb3003ec..53d6fd45a0 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-pki.md
@@ -17,11 +17,12 @@ ms.date: 4/30/2021
ms.reviewer:
---
-# Configure Hybrid Azure AD joined Windows Hello for Business: Public Key Infrastructure
+# Configure Hybrid Azure AD joined Windows Hello for Business - Public Key Infrastructure
**Applies to**
- Windows 10, version 1703 or later
+- Windows 11
- Hybrid Deployment
- Certificate Trust
@@ -164,7 +165,7 @@ Sign-in to a certificate authority or management workstation with *Domain Admin*
### Creating Windows Hello for Business authentication certificate template
-During Windows Hello for Business provisioning, a Windows 10 client requests an authentication certificate from the Active Directory Federation Service, which requests an authentication certificate on behalf of the user. This task configures the Windows Hello for Business authentication certificate template. You set the name of the certificate template when configuring it.
+During Windows Hello for Business provisioning, a Windows client requests an authentication certificate from the Active Directory Federation Service, which requests an authentication certificate on behalf of the user. This task configures the Windows Hello for Business authentication certificate template. You set the name of the certificate template when configuring it.
Sign-in to a certificate authority or management workstation with _Domain Admin equivalent_ credentials.
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md
index 9ddd57ccd7..519afac582 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings-policy.md
@@ -16,18 +16,19 @@ localizationpriority: medium
ms.date: 4/30/2021
ms.reviewer:
---
-# Configure Hybrid Azure AD joined Windows Hello for Business: Group Policy
+# Configure Hybrid Azure AD joined Windows Hello for Business - Group Policy
**Applies to**
- Windows 10, version 1703 or later
+- Windows 11
- Hybrid deployment
- Certificate trust
## Policy Configuration
-You need a Windows 10, version 1703 workstation to run the Group Policy Management Console, which provides the latest Windows Hello for Business and PIN Complexity Group Policy settings. To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows 10. You can download these tools from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520).
-Install the Remote Server Administration Tools for Windows 10 on a computer running Windows 10, version 1703.
+You need at least a Windows 10, version 1703 workstation to run the Group Policy Management Console, which provides the latest Windows Hello for Business and PIN Complexity Group Policy settings. To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows. You can download these tools from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520).
+Install the Remote Server Administration Tools for Windows on a computer running Windows 10, version 1703 or later.
Alternatively, you can create copy the .ADMX and .ADML files from a Windows 10 Creators Edition (1703) to their respective language folder on a Windows Server or you can create a Group Policy Central Store and copy them their respective language folder. See [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administrative-templates-in-windows) for more information.
@@ -161,9 +162,9 @@ The default Windows Hello for Business enables users to enroll and use biometric
### PIN Complexity
-PIN complexity is not specific to Windows Hello for Business. Windows 10 enables users to use PINs outside of Windows Hello for Business. PIN Complexity Group Policy settings apply to all uses of PINs, even when Windows Hello for Business is not deployed.
+PIN complexity is not specific to Windows Hello for Business. Windows enables users to use PINs outside of Windows Hello for Business. PIN Complexity Group Policy settings apply to all uses of PINs, even when Windows Hello for Business is not deployed.
-Windows 10 provides eight PIN Complexity Group Policy settings that give you granular control over PIN creation and management. You can deploy these policy settings to computers, where they affect all users creating PINs on that computer; or, you can deploy these settings to users, where they affect those users creating PINs regardless of the computer they use. If you deploy both computer and user PIN complexity Group Policy settings, the user policy settings have precedence over computer policy settings. Also, this conflict resolution is based on the last applied policy. Windows does not merge the policy settings automatically; however, you can deploy Group Policy to provide to accomplish a variety of configurations. The policy settings included are:
+Windows provides eight PIN Complexity Group Policy settings that give you granular control over PIN creation and management. You can deploy these policy settings to computers, where they affect all users creating PINs on that computer; or, you can deploy these settings to users, where they affect those users creating PINs regardless of the computer they use. If you deploy both computer and user PIN complexity Group Policy settings, the user policy settings have precedence over computer policy settings. Also, this conflict resolution is based on the last applied policy. Windows does not merge the policy settings automatically; however, you can deploy Group Policy to provide to accomplish a variety of configurations. The policy settings included are:
* Require digits
* Require lowercase letters
* Maximum PIN length
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md
index 73d00fcc58..a56e989ba6 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-cert-whfb-settings.md
@@ -20,6 +20,7 @@ ms.reviewer:
**Applies to**
- Windows 10, version 1703 or later
+- Windows 11
- Hybrid deployment
- Certificate trust
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md
index a72c7e9f5e..bb3de61241 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-new-install.md
@@ -20,6 +20,7 @@ ms.reviewer:
**Applies to**
- Windows 10, version 1703 or later
+- Windows 11
- Hybrid deployment
- Key trust
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md
index 741d1cd8fc..713fcd89a5 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-devreg.md
@@ -20,6 +20,7 @@ ms.reviewer:
**Applies to**
- Windows 10, version 1703 or later
+- Windows 11
- Hybrid deployment
- Key trust
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md
index a74ecbe0cb..5acfb06f68 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-dirsync.md
@@ -20,6 +20,7 @@ ms.reviewer:
**Applies to**
- Windows 10, version 1703 or later
+- Windows 11
- Hybrid deployment
- Key trust
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
index b245d6282d..95442ae6dd 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust-prereqs.md
@@ -20,6 +20,7 @@ ms.reviewer:
**Applies to**
- Windows 10, version 1703 or later
+- Windows 11
- Hybrid deployment
- Key trust
@@ -31,7 +32,7 @@ The distributed systems on which these technologies were built involved several
* [Public Key Infrastructure](#public-key-infrastructure)
* [Directory Synchronization](#directory-synchronization)
* [Federation](#federation-with-azure)
-* [MultiFactor Authentication](#multifactor-authentication)
+* [Multifactor authentication](#multifactor-authentication)
* [Device Registration](#device-registration)
## Directories
@@ -61,7 +62,7 @@ Review these requirements and those from the Windows Hello for Business planning
## Public Key Infrastructure
-The Windows Hello for Business deployment depends on an enterprise public key infrastructure as trust anchor for authentication. Domain controllers for hybrid deployments need a certificate in order for Windows 10 devices to trust the domain controller.
+The Windows Hello for Business deployment depends on an enterprise public key infrastructure as trust anchor for authentication. Domain controllers for hybrid deployments need a certificate in order for Windows devices to trust the domain controller.
Key trust deployments do not need client issued certificates for on-premises authentication. Active Directory user accounts are automatically configured for public key mapping by Azure AD Connect synchronizing the public key of the registered Windows Hello for Business credential to an attribute on the user's Active Directory object.
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md
index d8a1b0a961..93903312e5 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-trust.md
@@ -21,6 +21,7 @@ ms.reviewer:
**Applies to**
- Windows 10, version 1703 or later
+- Windows 11
- Hybrid deployment
- Key trust
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md
index e60e0b15f0..8d412b86f0 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-provision.md
@@ -20,6 +20,7 @@ ms.reviewer:
**Applies to**
- Windows 10, version 1703 or later
+- Windows 11
- Hybrid deployment
- Key trust
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-ad.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-ad.md
index c34af8b4ca..0f8a916c18 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-ad.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-ad.md
@@ -20,6 +20,7 @@ ms.reviewer:
**Applies to**
- Windows 10, version 1703 or later
+- Windows 11
- Hybrid deployment
- Key trust
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md
index b5a7d75097..28f3658a43 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-dir-sync.md
@@ -20,6 +20,7 @@ ms.reviewer:
**Applies to**
- Windows 10, version 1703 or later
+- Windows 11
- Hybrid deployment
- Key trust
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md
index 11ea807b5c..bc2ae4f46c 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-pki.md
@@ -22,6 +22,7 @@ ms.reviewer:
**Applies to**
- Windows 10, version 1703 or later
+- Windows 11
- Hybrid Deployment
- Key trust
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md
index 4e90347c72..3cdd96f898 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings-policy.md
@@ -20,20 +20,21 @@ ms.reviewer:
**Applies to**
- Windows 10, version 1703 or later
+- Windows 11
- Hybrid deployment
- Key trust
## Policy Configuration
-You need a Windows 10, version 1703 workstation to run the Group Policy Management Console, which provides the latest Windows Hello for Business and PIN Complexity Group Policy settings. To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows 10. You can download these tools from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520).
-Install the Remote Server Administration Tools for Windows 10 on a computer running Windows 10, version 1703.
+You need at least a Windows 10, version 1703 workstation to run the Group Policy Management Console, which provides the latest Windows Hello for Business and PIN Complexity Group Policy settings. To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows. You can download these tools from the [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520).
+Install the Remote Server Administration Tools for Windows on a computer running Windows 10, version 1703 or later.
Alternatively, you can create copy the .ADMX and .ADML files from a Windows 10 Creators Edition (1703) to their respective language folder on a Windows Server or you can create a Group Policy Central Store and copy them their respective language folder. See [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administrative-templates-in-windows) for more information.
Domain controllers of Windows Hello for Business deployments need one Group Policy setting, which enables automatic certificate enrollment for the newly create domain controller authentication certificate. This policy setting ensures domain controllers (new and existing) automatically request and renew the correct domain controller certificate.
-Hybrid Azure AD joined devices needs one Group Policy settings:
+Hybrid Azure AD joined devices needs one Group Policy setting:
* Enable Windows Hello for Business
### Configure Domain Controllers for Automatic Certificate Enrollment
@@ -75,7 +76,7 @@ Sign-in a domain controller or management workstations with _Domain Admin_ equiv
The Windows Hello for Business Group Policy object delivers the correct Group Policy settings to the user, which enables them to enroll and use Windows Hello for Business to authenticate to Azure and Active Directory
> [!NOTE]
-> If you deployed Windows Hello for Business configuration using both Group Policy and Microsoft Intune, Group Policy settings will take precedence and Intune settings will be ignored. For more details about deploying Windows Hello for Business configuration using Microsoft Intune, see [Windows 10 device settings to enable Windows Hello for Business in Intune](/mem/intune/protect/identity-protection-windows-settings) and [PassportForWork CSP](/windows/client-management/mdm/passportforwork-csp). For more details about policy conflicts, see [Policy conflicts from multiple policy sources](./hello-manage-in-organization.md#policy-conflicts-from-multiple-policy-sources)
+> If you deployed Windows Hello for Business configuration using both Group Policy and Microsoft Intune, Group Policy settings will take precedence and Intune settings will be ignored. For more details about deploying Windows Hello for Business configuration using Microsoft Intune, see [Windows device settings to enable Windows Hello for Business in Intune](/mem/intune/protect/identity-protection-windows-settings) and [PassportForWork CSP](/windows/client-management/mdm/passportforwork-csp). For more details about policy conflicts, see [Policy conflicts from multiple policy sources](./hello-manage-in-organization.md#policy-conflicts-from-multiple-policy-sources)
#### Enable Windows Hello for Business
@@ -139,12 +140,12 @@ The default Windows Hello for Business enables users to enroll and use biometric
### PIN Complexity
-PIN complexity is not specific to Windows Hello for Business. Windows 10 enables users to use PINs outside of Windows Hello for Business. PIN Complexity Group Policy settings apply to all uses of PINs, even when Windows Hello for Business is not deployed.
+PIN complexity is not specific to Windows Hello for Business. Windows enables users to use PINs outside of Windows Hello for Business. PIN Complexity Group Policy settings apply to all uses of PINs, even when Windows Hello for Business is not deployed.
>[!IMPORTANT]
-> Windows 10, version 1703, the PIN complexity Group Policy settings have moved to remove misunderstanding that PIN complexity policy settings were exclusive to Windows Hello for Business. The new location of these Group Policy settings is under **Computer Configuration\Administrative Templates\System\PIN Complexity** of the Group Policy editor.
+> Starting from Windows 10, version 1703, the PIN complexity Group Policy settings have moved to remove misunderstanding that PIN complexity policy settings were exclusive to Windows Hello for Business. The new location of these Group Policy settings is under **Computer Configuration\Administrative Templates\System\PIN Complexity** of the Group Policy editor.
-Windows 10 provides eight PIN Complexity Group Policy settings that give you granular control over PIN creation and management. You can deploy these policy settings to computers, where they affect all users creating PINs on that computer; or, you can deploy these settings to users, where they affect those users creating PINs regardless of the computer they use. If you deploy both computer and user PIN complexity Group Policy settings, the user policy settings have precedence over computer policy settings. Also, this conflict resolution is based on the last applied policy. Windows does not merge the policy settings automatically; however, you can deploy Group Policy to provide to accomplish a variety of configurations. The policy settings included are:
+Windows provides eight PIN Complexity Group Policy settings that give you granular control over PIN creation and management. You can deploy these policy settings to computers, where they affect all users creating PINs on that computer; or, you can deploy these settings to users, where they affect those users creating PINs regardless of the computer they use. If you deploy both computer and user PIN complexity Group Policy settings, the user policy settings have precedence over computer policy settings. Also, this conflict resolution is based on the last applied policy. Windows does not merge the policy settings automatically; however, you can deploy Group Policy to provide to accomplish a variety of configurations. The policy settings included are:
* Require digits
* Require lowercase letters
* Maximum PIN length
diff --git a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md
index 72ae9b3df4..b849c9ce8a 100644
--- a/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md
+++ b/windows/security/identity-protection/hello-for-business/hello-hybrid-key-whfb-settings.md
@@ -20,6 +20,7 @@ ms.reviewer:
**Applies to**
- Windows 10, version 1703 or later
+- Windows 11
- Hybrid deployment
- Key trust
@@ -44,7 +45,7 @@ For the most efficient deployment, configure these technologies in order beginni
## Follow the Windows Hello for Business hybrid key trust deployment guide
-1. [Overview](hello-hybrid-cert-trust.md)
+1. [Overview](hello-hybrid-key-trust.md)
2. [Prerequisites](hello-hybrid-key-trust-prereqs.md)
3. [New Installation Baseline](hello-hybrid-key-new-install.md)
4. [Configure Directory Synchronization](hello-hybrid-key-trust-dirsync.md)
diff --git a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md
index ddb05b73ac..3660d85201 100644
--- a/windows/security/identity-protection/hello-for-business/hello-identity-verification.md
+++ b/windows/security/identity-protection/hello-for-business/hello-identity-verification.md
@@ -24,10 +24,10 @@ This article lists the infrastructure requirements for the different deployment
## Cloud Only Deployment
-* Windows 10, version 1511 or later
+* Windows 10, version 1511 or later, or Windows 11
* Microsoft Azure Account
* Azure Active Directory
-* Azure AD Multi-Factor Authentication
+* Azure AD Multifactor Authentication
* Modern Management (Intune or supported third-party MDM), *optional*
* Azure AD Premium subscription - *optional*, needed for automatic MDM enrollment when the device joins Azure Active Directory
diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md
index 4e83f31ec3..7423caec53 100644
--- a/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md
+++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-adfs.md
@@ -16,10 +16,11 @@ localizationpriority: medium
ms.date: 08/19/2018
ms.reviewer:
---
-# Prepare and Deploy Windows Server 2016 Active Directory Federation Services
+# Prepare and Deploy Windows Server 2016 Active Directory Federation Services with Key Trust
**Applies to**
- Windows 10, version 1703 or later
+- Windows 11
- On-premises deployment
- Key trust
@@ -101,7 +102,7 @@ Sign-in the federation server with _Enterprise Admin_ equivalent credentials.
8. Click **Next** on the **Active Directory Federation Service** page.
9. Click **Install** to start the role installation.
-## Review
+## Review to validate
Before you continue with the deployment, validate your deployment progress by reviewing the following items:
* Confirm the AD FS farm uses the correct database configuration.
@@ -213,7 +214,7 @@ Sign-in the federation server with _Enterprise Admin_ equivalent credentials. Th
3. In the details pane, click **Configure Device Registration**.
4. In the **Configure Device Registration** dialog, click **OK**.
-## Review
+## Review and validate
Before you continue with the deployment, validate your deployment progress by reviewing the following items:
* Confirm you followed the correct procedures based on the domain controllers used in your deployment
diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md
index 8042bad1d8..116c9ba6ab 100644
--- a/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md
+++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-policy-settings.md
@@ -16,16 +16,17 @@ localizationpriority: medium
ms.date: 08/19/2018
ms.reviewer:
---
-# Configure Windows Hello for Business Policy settings
+# Configure Windows Hello for Business Policy settings - Key Trust
**Applies to**
- Windows 10, version 1703 or later
+- Windows 11
- On-premises deployment
- Key trust
-You need a Windows 10, version 1703 workstation to run the Group Policy Management Console, which provides the latest Windows Hello for Business and PIN Complexity Group Policy settings. To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows 10. You can download these tools from [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520).
-Install the Remote Server Administration Tools for Windows 10 on a computer running Windows 10, version 1703.
+You need at least a Windows 10, version 1703 workstation to run the Group Policy Management Console, which provides the latest Windows Hello for Business and PIN Complexity Group Policy settings. To run the Group Policy Management Console, you need to install the Remote Server Administration Tools for Windows. You can download these tools from [Microsoft Download Center](https://www.microsoft.com/download/details.aspx?id=45520).
+Install the Remote Server Administration Tools for Windows on a computer running Windows 10, version 1703 or later.
Alternatively, you can create a copy of the .ADMX and .ADML files from a Windows 10, version 1703 installation setup template folder to their respective language folder on a Windows Server, or you can create a Group Policy Central Store and copy them their respective language folder. See [How to create and manage the Central Store for Group Policy Administrative Templates in Windows](https://support.microsoft.com/help/3087759/how-to-create-and-manage-the-central-store-for-group-policy-administrative-templates-in-windows) for more information.
@@ -35,7 +36,7 @@ On-premises certificate-based deployments of Windows Hello for Business needs on
The Group Policy setting determines whether users are allowed, and prompted, to enroll for Windows Hello for Business. It can be configured for computers or users.
-If you configure the Group Policy for computers, all users that sign-in to those computers will be allowed and prompted to enroll for Windows Hello for Business. If you configure the Group Policy for users, only those users will be allowed and prompted to enroll for Windows Hello for Business. For these settings to be configured using GPO, you need to download and install the latest Administrative Templates (.admx) for Windows 10.
+If you configure the Group Policy for computers, all users that sign-in to those computers will be allowed and prompted to enroll for Windows Hello for Business. If you configure the Group Policy for users, only those users will be allowed and prompted to enroll for Windows Hello for Business. For these settings to be configured using GPO, you need to download and install the latest Administrative Templates (.admx) for Windows.
## Create the Windows Hello for Business Group Policy object
@@ -92,9 +93,9 @@ The default Windows Hello for Business enables users to enroll and use biometric
### PIN Complexity
-PIN complexity is not specific to Windows Hello for Business. Windows 10 enables users to use PINs outside of Windows Hello for Business. PIN Complexity Group Policy settings apply to all uses of PINs, even when Windows Hello for Business is not deployed.
+PIN complexity is not specific to Windows Hello for Business. Windows enables users to use PINs outside of Windows Hello for Business. PIN Complexity Group Policy settings apply to all uses of PINs, even when Windows Hello for Business is not deployed.
-Windows 10 provides eight PIN Complexity Group Policy settings that give you granular control over PIN creation and management. You can deploy these policy settings to computers, where they affect all users creating PINs on that computer; or, you can deploy these settings to users, where they affect those users creating PINs regardless of the computer they use. If you deploy both computer and user PIN complexity Group Policy settings, the user policy settings have precedence over computer policy settings. Also, this conflict resolution is based on the last applied policy. Windows does not merge the policy settings automatically; however, you can deploy Group Policy to provide to accomplish a variety of configurations. The policy settings included are:
+Windows provides eight PIN Complexity Group Policy settings that give you granular control over PIN creation and management. You can deploy these policy settings to computers, where they affect all users creating PINs on that computer; or, you can deploy these settings to users, where they affect those users creating PINs regardless of the computer they use. If you deploy both computer and user PIN complexity Group Policy settings, the user policy settings have precedence over computer policy settings. Also, this conflict resolution is based on the last applied policy. Windows does not merge the policy settings automatically; however, you can deploy Group Policy to provide to accomplish a variety of configurations. The policy settings included are:
* Require digits
* Require lowercase letters
* Maximum PIN length
diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md
index c2c52074f8..943e611e93 100644
--- a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md
+++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-ad-prereq.md
@@ -16,10 +16,11 @@ localizationpriority: medium
ms.date: 08/19/2018
ms.reviewer:
---
-# Validate Active Directory prerequisites
+# Validate Active Directory prerequisites - Key Trust
**Applies to**
- Windows 10, version 1703 or later
+- Windows 11
- On-premises deployment
- Key trust
diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md
index 90a492218c..349b328807 100644
--- a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md
+++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-deploy-mfa.md
@@ -16,14 +16,15 @@ localizationpriority: medium
ms.date: 08/19/2018
ms.reviewer:
---
-# Validate and Deploy Multi-factor Authentication (MFA)
+# Validate and Deploy Multifactor Authentication (MFA)
> [!IMPORTANT]
-> As of July 1, 2019, Microsoft will no longer offer MFA Server for new deployments. New customers who would like to require multi-factor authentication from their users should use cloud-based Azure AD Multi-Factor Authentication. Existing customers who have activated MFA Server prior to July 1 will be able to download the latest version, future updates and generate activation credentials as usual.
+> As of July 1, 2019, Microsoft will no longer offer MFA Server for new deployments. New customers who would like to require multifactor authentication from their users should use cloud-based Azure AD Multi-Factor Authentication. Existing customers who have activated MFA Server prior to July 1 will be able to download the latest version, future updates and generate activation credentials as usual.
**Applies to**
- Windows 10, version 1703 or later
+- Windows 11
- On-premises deployment
- Key trust
diff --git a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md
index 08e787ef60..d4e87e620e 100644
--- a/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md
+++ b/windows/security/identity-protection/hello-for-business/hello-key-trust-validate-pki.md
@@ -17,10 +17,11 @@ ms.date: 08/19/2018
ms.reviewer:
---
-# Validate and Configure Public Key Infrastructure
+# Validate and Configure Public Key Infrastructure - Key Trust
**Applies to**
- Windows 10, version 1703 or later
+- Windows 11
- On-premises deployment
- Key trust
@@ -114,7 +115,7 @@ The certificate template is configured to supersede all the certificate template
### Configure an Internal Web Server Certificate template
-Windows 10 clients use the https protocol when communicating with Active Directory Federation Services. To meet this need, you must issue a server authentication certificate to all the nodes in the Active Directory Federation Services farm. On-premises deployments can use a server authentication certificate issued by their enterprise PKI. You must configure a server authentication certificate template so the host running the Active Directory Federation Service can request the certificate.
+Windows clients use the https protocol when communicating with Active Directory Federation Services. To meet this need, you must issue a server authentication certificate to all the nodes in the Active Directory Federation Services farm. On-premises deployments can use a server authentication certificate issued by their enterprise PKI. You must configure a server authentication certificate template so the host running the Active Directory Federation Service can request the certificate.
Sign-in to a certificate authority or management workstations with _Domain Admin_ equivalent credentials.
diff --git a/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md b/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md
index ab8e875aaa..5c7129efd6 100644
--- a/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md
+++ b/windows/security/identity-protection/hello-for-business/hello-manage-in-organization.md
@@ -1,5 +1,5 @@
---
-title: Manage Windows Hello in your organization (Windows 10)
+title: Manage Windows Hello in your organization (Windows)
description: You can create a Group Policy or mobile device management (MDM) policy that will implement Windows Hello for Business on devices running Windows 10.
ms.assetid: 47B55221-24BE-482D-BD31-C78B22AC06D8
ms.reviewer:
@@ -22,6 +22,7 @@ ms.date: 1/20/2021
**Applies to**
- Windows 10
+- Windows 11
You can create a Group Policy or mobile device management (MDM) policy that will implement Windows Hello on devices running Windows 10.
diff --git a/windows/security/identity-protection/hello-for-business/hello-overview.md b/windows/security/identity-protection/hello-for-business/hello-overview.md
index 1a2b17c308..cd38c11105 100644
--- a/windows/security/identity-protection/hello-for-business/hello-overview.md
+++ b/windows/security/identity-protection/hello-for-business/hello-overview.md
@@ -1,7 +1,7 @@
---
-title: Windows Hello for Business Overview (Windows 10)
+title: Windows Hello for Business Overview (Windows)
ms.reviewer: An overview of Windows Hello for Business
-description: Learn how Windows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices in Windows 10.
+description: Learn how Windows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices in Windows 10 and Windows 11.
keywords: identity, PIN, biometric, Hello, passport
ms.prod: w10
ms.mktglfcycl: deploy
@@ -20,6 +20,7 @@ localizationpriority: medium
**Applies to**
- Windows 10
+- Windows 11
In Windows 10, Windows Hello for Business replaces passwords with strong two-factor authentication on PCs and mobile devices. This authentication consists of a new type of user credential that is tied to a device and uses a biometric or PIN.
@@ -47,7 +48,7 @@ As an administrator in an enterprise or educational organization, you can create
Windows Hello provides reliable, fully integrated biometric authentication based on facial recognition or fingerprint matching. Windows Hello uses a combination of special infrared (IR) cameras and software to increase accuracy and guard against spoofing. Major hardware vendors are shipping devices that have integrated Windows Hello-compatible cameras. Fingerprint reader hardware can be used or added to devices that don't currently have it. On devices that support Windows Hello, an easy biometric gesture unlocks users' credentials.
- **Facial recognition**. This type of biometric recognition uses special cameras that see in IR light, which allows them to reliably tell the difference between a photograph or scan and a living person. Several vendors are shipping external cameras that incorporate this technology, and major laptop manufacturers are incorporating it into their devices, as well.
-- **Fingerprint recognition**. This type of biometric recognition uses a capacitive fingerprint sensor to scan your fingerprint. Fingerprint readers have been available for Windows computers for years, but the current generation of sensors is significantly more reliable and less error-prone. Most existing fingerprint readers (whether external or integrated into laptops or USB keyboards) work with Windows 10.
+- **Fingerprint recognition**. This type of biometric recognition uses a capacitive fingerprint sensor to scan your fingerprint. Fingerprint readers have been available for Windows computers for years, but the current generation of sensors is significantly more reliable and less error-prone. Most existing fingerprint readers (whether external or integrated into laptops or USB keyboards) work with Windows 10 and Windows 11.
Windows stores biometric data that is used to implement Windows Hello securely on the local device only. The biometric data doesn't roam and is never sent to external devices or servers. Because Windows Hello only stores biometric identification data on the device, there's no single collection point an attacker can compromise to steal biometric data. For more information about biometric authentication with Windows Hello for Business, see [Windows Hello biometrics in the enterprise](hello-biometrics-in-enterprise.md).
diff --git a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
index 9bec345719..617be85699 100644
--- a/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
+++ b/windows/security/identity-protection/hello-for-business/hello-planning-guide.md
@@ -21,6 +21,7 @@ ms.reviewer:
**Applies to**
- Windows 10
+- Windows 11
Congratulations! You are taking the first step forward in helping move your organizations away from password to a two-factor, convenience authentication for Windows — Windows Hello for Business. This planning guide helps you understand the different topologies, architectures, and components that encompass a Windows Hello for Business infrastructure.
@@ -145,9 +146,9 @@ Modern management is an emerging device management paradigm that leverages the c
### Client
-Windows Hello for Business is an exclusive Windows 10 feature. As part of the Windows as a Service strategy, Microsoft has improved the deployment, management, and user experience with each new release of Windows 10 and introduced support for new scenarios.
+Windows Hello for Business is an exclusive Windows 10 and Windows 11 feature. As part of the Windows as a Service strategy, Microsoft has improved the deployment, management, and user experience with each new release of Windows and introduced support for new scenarios.
-Most deployment scenarios require a minimum of Windows 10, version 1511, also known as the November Update. The client requirement may change based on different components in your existing infrastructure, or other infrastructure choices made later in planning your deployment. Those components and choices may require a minimum client running Windows 10, version 1703, also known as the Creators Update.
+Most deployment scenarios require a minimum of Windows 10, version 1511, also known as the November Update. The client requirement may change based on different components in your existing infrastructure, or other infrastructure choices made later in planning your deployment. Those components and choices may require a minimum client running Windows 10, version 1703, also known as the Creators Update.
### Active Directory
@@ -156,7 +157,7 @@ Hybrid and on-premises deployments include Active Directory as part of their inf
### Public Key Infrastructure
-The Windows Hello for Business deployment depends on an enterprise public key infrastructure as a trust anchor for authentication. Domain controllers for hybrid and on-premises deployments need a certificate in order for Windows 10 devices to trust the domain controller as legitimate. Deployments using the certificate trust type need an enterprise public key infrastructure and a certificate registration authority to issue authentication certificates to users. Hybrid deployments may need to issue VPN certificates to users to enable connectivity on-premises resources.
+The Windows Hello for Business deployment depends on an enterprise public key infrastructure as a trust anchor for authentication. Domain controllers for hybrid and on-premises deployments need a certificate in order for Windows devices to trust the domain controller as legitimate. Deployments using the certificate trust type need an enterprise public key infrastructure and a certificate registration authority to issue authentication certificates to users. Hybrid deployments may need to issue VPN certificates to users to enable connectivity on-premises resources.
### Cloud
@@ -267,7 +268,7 @@ If you use modern management for both domain and non-domain joined devices, writ
### Client
-Windows Hello for Business is a feature exclusive to Windows 10. Some deployments and features are available using earlier versions of Windows 10. Others need the latest versions.
+Windows Hello for Business is a feature exclusive to Windows 10 and Windows 11. Some deployments and features are available using earlier versions of Windows 10. Others need the latest versions.
If box **1a** on your planning worksheet reads **cloud only**, write **N/A** in box **3a** on your planning worksheet. Optionally, you may write **1511 or later** in box **3b** on your planning worksheet if you plan to manage non-domain joined devices.
> [!NOTE]
diff --git a/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md b/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md
index e7d6a0cea8..bf0a6af0ea 100644
--- a/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md
+++ b/windows/security/identity-protection/hello-for-business/hello-prepare-people-to-use.md
@@ -1,5 +1,5 @@
---
-title: Prepare people to use Windows Hello (Windows 10)
+title: Prepare people to use Windows Hello (Windows)
description: When you set a policy to require Windows Hello for Business in the workplace, you will want to prepare people in your organization.
ms.assetid: 5270B416-CE31-4DD9-862D-6C22A2AE508B
ms.reviewer:
@@ -22,6 +22,7 @@ ms.date: 08/19/2018
**Applies to**
- Windows 10
+- Windows 11
When you set a policy to require Windows Hello for Business in the workplace, you will want to prepare people in your organization by explaining how to use Hello.
diff --git a/windows/security/identity-protection/hello-for-business/hello-videos.md b/windows/security/identity-protection/hello-for-business/hello-videos.md
index c53586ff18..0f47042799 100644
--- a/windows/security/identity-protection/hello-for-business/hello-videos.md
+++ b/windows/security/identity-protection/hello-for-business/hello-videos.md
@@ -1,6 +1,6 @@
---
title: Windows Hello for Business Videos
-description: View several informative videos describing features and experiences in Windows Hello for Business in Windows 10.
+description: View several informative videos describing features and experiences in Windows Hello for Business in Windows 10 and Windows 11.
keywords: identity, PIN, biometric, Hello, passport, video, watch, passwordless
ms.prod: w10
ms.mktglfcycl: deploy
@@ -20,6 +20,7 @@ ms.reviewer:
**Applies to**
- Windows 10
+- Windows 11
## Overview of Windows Hello for Business and Features
diff --git a/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md b/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md
index d74bd61baa..738db8c9bd 100644
--- a/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md
+++ b/windows/security/identity-protection/hello-for-business/hello-why-pin-is-better-than-password.md
@@ -1,5 +1,5 @@
---
-title: Why a PIN is better than a password (Windows 10)
+title: Why a PIN is better than a password (Windows)
description: Windows Hello in Windows 10 enables users to sign in to their device using a PIN. How is a PIN different from (and better than) a password .
ms.assetid: A6FC0520-01E6-4E90-B53D-6C4C4E780212
ms.reviewer:
@@ -23,6 +23,7 @@ ms.date: 10/23/2017
**Applies to**
- Windows 10
+- Windows 11
Windows Hello in Windows 10 enables users to sign in to their device using a PIN. How is a PIN different from (and better than) a password?
On the surface, a PIN looks much like a password. A PIN can be a set of numbers, but enterprise policy might allow complex PINs that include special characters and letters, both upper-case and lower-case. Something like **t758A!** could be an account password or a complex Hello PIN. It isn't the structure of a PIN (length, complexity) that makes it better than a password, it's how it works.
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/AADConnectOnPremDN.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/aadconnectonpremdn.png
similarity index 100%
rename from windows/security/identity-protection/hello-for-business/images/aadjCert/AADConnectOnPremDN.png
rename to windows/security/identity-protection/hello-for-business/images/aadjCert/aadconnectonpremdn.png
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/AzureAppProxyConnectorInstall-01.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/azureappproxyconnectorinstall-01.png
similarity index 100%
rename from windows/security/identity-protection/hello-for-business/images/aadjCert/AzureAppProxyConnectorInstall-01.png
rename to windows/security/identity-protection/hello-for-business/images/aadjCert/azureappproxyconnectorinstall-01.png
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/AzureAppProxyConnectorInstall-02.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/azureappproxyconnectorinstall-02.png
similarity index 100%
rename from windows/security/identity-protection/hello-for-business/images/aadjCert/AzureAppProxyConnectorInstall-02.png
rename to windows/security/identity-protection/hello-for-business/images/aadjCert/azureappproxyconnectorinstall-02.png
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/AzureAppProxyConnectorInstall-03.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/azureappproxyconnectorinstall-03.png
similarity index 100%
rename from windows/security/identity-protection/hello-for-business/images/aadjCert/AzureAppProxyConnectorInstall-03.png
rename to windows/security/identity-protection/hello-for-business/images/aadjCert/azureappproxyconnectorinstall-03.png
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/AzureConsole-ApplicationProxy-Connectors-Default.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/azureconsole-applicationproxy-connectors-default.png
similarity index 100%
rename from windows/security/identity-protection/hello-for-business/images/aadjCert/AzureConsole-ApplicationProxy-Connectors-Default.png
rename to windows/security/identity-protection/hello-for-business/images/aadjCert/azureconsole-applicationproxy-connectors-default.png
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/AzureConsole-ApplicationProxy-Connectors-Empty.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/azureconsole-applicationproxy-connectors-empty.png
similarity index 100%
rename from windows/security/identity-protection/hello-for-business/images/aadjCert/AzureConsole-ApplicationProxy-Connectors-Empty.png
rename to windows/security/identity-protection/hello-for-business/images/aadjCert/azureconsole-applicationproxy-connectors-empty.png
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/AzureConsole-ApplicationProxy-Connectors-NewConnectorGroup.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/azureconsole-applicationproxy-connectors-newconnectorgroup.png
similarity index 100%
rename from windows/security/identity-protection/hello-for-business/images/aadjCert/AzureConsole-ApplicationProxy-Connectors-NewConnectorGroup.png
rename to windows/security/identity-protection/hello-for-business/images/aadjCert/azureconsole-applicationproxy-connectors-newconnectorgroup.png
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/AzureConsole-AppProxyConfig.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/azureconsole-appproxyconfig.png
similarity index 100%
rename from windows/security/identity-protection/hello-for-business/images/aadjCert/AzureConsole-AppProxyConfig.png
rename to windows/security/identity-protection/hello-for-business/images/aadjCert/azureconsole-appproxyconfig.png
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/dotNet35sideByside.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/dotnet35sidebyside.png
similarity index 100%
rename from windows/security/identity-protection/hello-for-business/images/aadjCert/dotNet35sideByside.png
rename to windows/security/identity-protection/hello-for-business/images/aadjCert/dotnet35sidebyside.png
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/ndesConfig01.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/ndesconfig01.png
similarity index 100%
rename from windows/security/identity-protection/hello-for-business/images/aadjCert/ndesConfig01.png
rename to windows/security/identity-protection/hello-for-business/images/aadjCert/ndesconfig01.png
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/ndesConfig02.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/ndesconfig02.png
similarity index 100%
rename from windows/security/identity-protection/hello-for-business/images/aadjCert/ndesConfig02.png
rename to windows/security/identity-protection/hello-for-business/images/aadjCert/ndesconfig02.png
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/ndesConfig03b.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/ndesconfig03b.png
similarity index 100%
rename from windows/security/identity-protection/hello-for-business/images/aadjCert/ndesConfig03b.png
rename to windows/security/identity-protection/hello-for-business/images/aadjCert/ndesconfig03b.png
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/ndesConfig04.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/ndesconfig04.png
similarity index 100%
rename from windows/security/identity-protection/hello-for-business/images/aadjCert/ndesConfig04.png
rename to windows/security/identity-protection/hello-for-business/images/aadjCert/ndesconfig04.png
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/ndesConfig05.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/ndesconfig05.png
similarity index 100%
rename from windows/security/identity-protection/hello-for-business/images/aadjCert/ndesConfig05.png
rename to windows/security/identity-protection/hello-for-business/images/aadjCert/ndesconfig05.png
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/NDESSvcDelegation-HOST-CA-SPN.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/ndessvcdelegation-host-ca-spn.png
similarity index 100%
rename from windows/security/identity-protection/hello-for-business/images/aadjCert/NDESSvcDelegation-HOST-CA-SPN.png
rename to windows/security/identity-protection/hello-for-business/images/aadjCert/ndessvcdelegation-host-ca-spn.png
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/NDESSvcDelegation-HOST-NDES-SPN.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/ndessvcdelegation-host-ndes-spn.png
similarity index 100%
rename from windows/security/identity-protection/hello-for-business/images/aadjCert/NDESSvcDelegation-HOST-NDES-SPN.png
rename to windows/security/identity-protection/hello-for-business/images/aadjCert/ndessvcdelegation-host-ndes-spn.png
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/NDESSvcDelegationTab.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/ndessvcdelegationtab.png
similarity index 100%
rename from windows/security/identity-protection/hello-for-business/images/aadjCert/NDESSvcDelegationTab.png
rename to windows/security/identity-protection/hello-for-business/images/aadjCert/ndessvcdelegationtab.png
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/serverManager-ADCS-add-Features.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/servermanager-adcs-add-features.png
similarity index 100%
rename from windows/security/identity-protection/hello-for-business/images/aadjCert/serverManager-ADCS-add-Features.png
rename to windows/security/identity-protection/hello-for-business/images/aadjCert/servermanager-adcs-add-features.png
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/serverManager-ADCS-HTTP-Activation.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/servermanager-adcs-http-activation.png
similarity index 100%
rename from windows/security/identity-protection/hello-for-business/images/aadjCert/serverManager-ADCS-HTTP-Activation.png
rename to windows/security/identity-protection/hello-for-business/images/aadjCert/servermanager-adcs-http-activation.png
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/serverManager-ADCS-NDES-Role-Checked.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/servermanager-adcs-ndes-role-checked.png
similarity index 100%
rename from windows/security/identity-protection/hello-for-business/images/aadjCert/serverManager-ADCS-NDES-Role-Checked.png
rename to windows/security/identity-protection/hello-for-business/images/aadjCert/servermanager-adcs-ndes-role-checked.png
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/serverManager-ADCS-Role.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/servermanager-adcs-role.png
similarity index 100%
rename from windows/security/identity-protection/hello-for-business/images/aadjCert/serverManager-ADCS-Role.png
rename to windows/security/identity-protection/hello-for-business/images/aadjCert/servermanager-adcs-role.png
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/serverManager-ADCS-WebServer-Role.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/servermanager-adcs-webserver-role.png
similarity index 100%
rename from windows/security/identity-protection/hello-for-business/images/aadjCert/serverManager-ADCS-WebServer-Role.png
rename to windows/security/identity-protection/hello-for-business/images/aadjCert/servermanager-adcs-webserver-role.png
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/serverManager-Destination-Server-NDES.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/servermanager-destination-server-ndes.png
similarity index 100%
rename from windows/security/identity-protection/hello-for-business/images/aadjCert/serverManager-Destination-Server-NDES.png
rename to windows/security/identity-protection/hello-for-business/images/aadjCert/servermanager-destination-server-ndes.png
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/serverManager-Post-NDES-YellowActionFlag.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/servermanager-post-ndes-yellowactionflag.png
similarity index 100%
rename from windows/security/identity-protection/hello-for-business/images/aadjCert/serverManager-Post-NDES-YellowActionFlag.png
rename to windows/security/identity-protection/hello-for-business/images/aadjCert/servermanager-post-ndes-yellowactionflag.png
diff --git a/windows/security/identity-protection/hello-for-business/images/aadjCert/setSPN-CommandPrompt.png b/windows/security/identity-protection/hello-for-business/images/aadjCert/setspn-commandprompt.png
similarity index 100%
rename from windows/security/identity-protection/hello-for-business/images/aadjCert/setSPN-CommandPrompt.png
rename to windows/security/identity-protection/hello-for-business/images/aadjCert/setspn-commandprompt.png
diff --git a/windows/security/identity-protection/hello-for-business/microsoft-compatible-security-key.md b/windows/security/identity-protection/hello-for-business/microsoft-compatible-security-key.md
index a17d30b55f..73aab32a55 100644
--- a/windows/security/identity-protection/hello-for-business/microsoft-compatible-security-key.md
+++ b/windows/security/identity-protection/hello-for-business/microsoft-compatible-security-key.md
@@ -1,6 +1,6 @@
---
title: Microsoft-compatible security key
-description: Learn how a Microsoft-compatible security key for Windows 10 is different (and better) than any other FIDO2 security key.
+description: Learn how a Microsoft-compatible security key for Windows is different (and better) than any other FIDO2 security key.
keywords: FIDO2, security key, CTAP, Hello, WHFB
ms.prod: w10
ms.mktglfcycl: deploy
diff --git a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md
index 2b1c101fc0..f7bb6e7722 100644
--- a/windows/security/identity-protection/hello-for-business/passwordless-strategy.md
+++ b/windows/security/identity-protection/hello-for-business/passwordless-strategy.md
@@ -1,6 +1,6 @@
---
title: Passwordless Strategy
-description: Learn about the password-less strategy and how Windows Hello for Business implements this strategy in Windows 10.
+description: Learn about the password-less strategy and how Windows Hello for Business implements this strategy in Windows 10 and Windows 11.
keywords: identity, PIN, biometric, Hello, passport, video, watch, passwordless
ms.prod: w10
ms.mktglfcycl: deploy
@@ -25,7 +25,7 @@ Over the past few years, Microsoft has continued their commitment to enabling a
### 1. Develop a password replacement offering
-Before you move away from passwords, you need something to replace them. With Windows 10, Microsoft introduced Windows Hello for Business, a strong, hardware protected two-factor credential that enables single sign-on to Azure Active Directory and Active Directory.
+Before you move away from passwords, you need something to replace them. With Windows 10 and Windows 11, Microsoft introduced Windows Hello for Business, a strong, hardware protected two-factor credential that enables single sign-on to Azure Active Directory and Active Directory.
Deploying Windows Hello for Business is the first step towards a passwordless environment. Windows Hello for Business coexists nicely with existing password-based security. Users are likely to use Windows Hello for Business because of its convenience, especially when combined with biometrics. However, some workflows and applications may still need passwords. This early stage is about implementing an alternative and getting users used to it.
@@ -38,7 +38,7 @@ Once the user-visible password surface has been eliminated, your organization ca
- the users never change their password
- the users do not know their password
-In this world, the user signs in to Windows 10 using Windows Hello for Business and enjoys single sign-on to Azure and Active Directory resources. If the user is forced to authenticate, their authentication uses Windows Hello for Business.
+In this world, the user signs in to Windows using Windows Hello for Business and enjoys single sign-on to Azure and Active Directory resources. If the user is forced to authenticate, their authentication uses Windows Hello for Business.
### 4. Eliminate passwords from the identity directory
The final step of the passwordless story is where passwords simply do not exist. At this step, identity directories no longer persist any form of the password. This is where Microsoft achieves the long-term security promise of a truly passwordless environment.
@@ -139,7 +139,7 @@ The journey to password freedom is to take each work persona through each step o
After successfully moving a work persona to password freedom, you can prioritize the remaining work personas and repeat the process.
### Passwordless replacement offering (Step 1)
-The first step to password freedom is providing an alternative to passwords. Windows 10 provides an affordable and easy in-box alternative to passwords, Windows Hello for Business, a strong, two-factor authentication to Azure Active Directory and Active Directory.
+The first step to password freedom is providing an alternative to passwords. Windows 10 and Windows 11 provide an affordable and easy in-box alternative to passwords, Windows Hello for Business, a strong, two-factor authentication to Azure Active Directory and Active Directory.
#### Identify test users that represent the targeted work persona
A successful transition relies on user acceptance testing. It is impossible for you to know how every work persona goes about their day-to-day activities, or how to accurately validate them. You need to enlist the help of users who fit the targeted work persona. You only need a few users from the targeted work persona. As you cycle through step 2, you may want to change a few of the users (or add a few) as part of your validation process.
diff --git a/windows/security/identity-protection/hello-for-business/reset-security-key.md b/windows/security/identity-protection/hello-for-business/reset-security-key.md
index 732dff8677..92a7af375c 100644
--- a/windows/security/identity-protection/hello-for-business/reset-security-key.md
+++ b/windows/security/identity-protection/hello-for-business/reset-security-key.md
@@ -1,6 +1,6 @@
---
title: Reset-security-key
-description: Windows�10 enables users to sign in to their device using a security key. How to reset a security key
+description: Windows 10 and Windows 11 enables users to sign in to their device using a security key. How to reset a security key
keywords: FIDO2, security key, CTAP, Microsoft-compatible security key
ms.prod: w10
ms.mktglfcycl: deploy
@@ -24,14 +24,14 @@ ms.reviewer:
>This operation will wipe everything from your security key and reset it to factory defaults. **All data and credentials will be cleared.**
-A [Microsoft-compatible security key](./microsoft-compatible-security-key.md) can be reset via Settings app ( Settings > Accounts > Sign-in options > Security key ).
+A [Microsoft-compatible security key](./microsoft-compatible-security-key.md) can be reset via Settings app (Settings > Accounts > Sign-in options > Security key).
Follow the instructions in the Settings app and look for specific instructions based on your security key manufacturer below:
|Security key manufacturer | Reset instructions |
| --- | --- |
-|Yubico | **USB:** Remove and re-insert the security key. When the LED on the security key begins flashing, touch the metal contact
**NFC:** Tap the security key on the reader
|
+|Yubico | **USB:** Remove and reinsert the security key. When the LED on the security key begins flashing, touch the metal contact
**NFC:** Tap the security key on the reader
|
|Feitian | Touch the blinking fingerprint sensor twice to reset the key|
|HID | Tap the card on the reader twice to reset it |
diff --git a/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md b/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md
index 2ad3bb1f3b..d90093aab8 100644
--- a/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md
+++ b/windows/security/identity-protection/hello-for-business/retired/hello-how-it-works.md
@@ -1,5 +1,5 @@
---
-title: How Windows Hello for Business works (Windows 10)
+title: How Windows Hello for Business works (Windows)
description: Learn about registration, authentication, key material, and infrastructure for Windows Hello for Business.
ms.prod: w10
ms.mktglfcycl: deploy
@@ -13,11 +13,13 @@ ms.reviewer:
manager: dansimp
ms.topic: article
---
-# How Windows Hello for Business works
+# How Windows Hello for Business works in Windows devices
**Applies to**
-- Windows 10
-- Windows 10 Mobile
+
+- Windows 10
+- Windows 11
+- Windows 10 Mobile
Windows Hello for Business requires a registered device. When the device is set up, its user can use the device to authenticate to services. This topic explains how device registration works, what happens when a user requests authentication, how key material is stored and processed, and which servers and infrastructure components are involved in different parts of this process.
@@ -30,15 +32,15 @@ A goal of device registration is to allow a user to open a brand-new device, sec
The registration process works like this:
-1. The user configures an account on the device. This account can be a local account on the device, a domain account stored in the on-premises Active Directory domain, a Microsoft account, or an Azure AD account. For a new device, this step may be as simple as signing in with a Microsoft account. Signing in with a Microsoft account on a Windows 10 device automatically sets up Windows Hello on the device; users don’t have to do anything extra to enable it.
+1. The user configures an account on the device. This account can be a local account on the device, a domain account stored in the on-premises Active Directory domain, a Microsoft account, or an Azure AD account. For a new device, this step may be as simple as signing in with a Microsoft account. Signing in with a Microsoft account on a Windows 10 or Windows 11 device automatically sets up Windows Hello on the device; users don’t have to do anything extra to enable it.
2. To sign in using that account, the user has to enter the existing credentials for it. The identity provider (IDP) that “owns” the account receives the credentials and authenticates the user. This IDP authentication may include the use of an existing second authentication factor, or proof. For example, a user who registers a new device by using an Azure AD account will have to provide an SMS-based proof that Azure AD sends.
3. When the user has provided the proof to the IDP, the user enables PIN authentication. The PIN will be associated with this particular credential. When the user sets the PIN, it becomes usable immediately
The PIN chosen is associated with the combination of the active account and that specific device. The PIN must comply with whatever length and complexity policy the account administrator has configured; this policy is enforced on the device side. Other registration scenarios that Windows Hello supports are:
- A user who upgrades from the Windows 8.1 operating system will sign in by using the existing enterprise password. That triggers a second authentication factor from the IDP side (if required); after receiving and returning a proof, such as a text message or voice code, the IDP authenticates the user to the upgraded Windows 10 device, and the user can set his or her PIN.
-- A user who typically uses a smart card to sign in will be prompted to set up a PIN the first time he or she signs in to a Windows 10 device the user has not previously signed in to.
-- A user who typically uses a virtual smart card to sign in will be prompted to set up a PIN the first time he or she signs in to a Windows 10 device the user has not previously signed in to.
+- A user who typically uses a smart card to sign in will be prompted to set up a PIN the first time he or she signs in to a Windows 10 or Windows 11 device the user has not previously signed in to.
+- A user who typically uses a virtual smart card to sign in will be prompted to set up a PIN the first time he or she signs in to a Windows 10 and Windows 11 device the user has not previously signed in to.
When the user has completed this process, Windows Hello generates a new public–private key pair on the device. The TPM generates and protects this private key; if the device doesn’t have a TPM, the private key is encrypted and stored in software. This initial key is referred to as the protector key. It’s associated only with a single gesture; in other words, if a user registers a PIN, a fingerprint, and a face on the same device, each of those gestures will have a unique protector key. Each unique gesture generates a unique protector key. The protector key securely wraps the authentication key. The container has only one authentication key, but there can be multiple copies of that key wrapped with different unique protector keys. Windows Hello also generates an administrative key that the user or administrator can use to reset credentials, when necessary. In addition to the protector key, TPM-enabled devices generate a block of data that contains attestations from the TPM.
@@ -46,7 +48,7 @@ At this point, the user has a PIN gesture defined on the device and an associate
## What’s a container?
-You’ll often hear the term *container* used in reference to mobile device management (MDM) solutions. Windows Hello uses the term, too, but in a slightly different way. Container in this context is shorthand for a logical grouping of key material or data. Windows 10 Hello uses a single container that holds user key material for personal accounts, including key material associated with the user’s Microsoft account or with other consumer identity providers, and credentials associated with a workplace or school account.
+You’ll often hear the term *container* used in reference to mobile device management (MDM) solutions. Windows Hello uses the term, too, but in a slightly different way. Container in this context is shorthand for a logical grouping of key material or data. Windows 10 or Windows 11 Hello uses a single container that holds user key material for personal accounts, including key material associated with the user’s Microsoft account or with other consumer identity providers, and credentials associated with a workplace or school account.
The container holds enterprise credentials only on devices that have been registered with an organization; it contains key material for the enterprise IDP, such as on-premises Active Directory or Azure AD.
diff --git a/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md b/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md
index 130688534d..6f65b3199e 100644
--- a/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md
+++ b/windows/security/identity-protection/user-account-control/user-account-control-group-policy-and-registry-key-settings.md
@@ -32,7 +32,7 @@ There are 10 Group Policy settings that can be configured for User Account Contr
| [User Account Control: Admin Approval Mode for the built-in Administrator account](#user-account-control-admin-approval-mode-for-the-built-in-administrator-account) | FilterAdministratorToken | Disabled |
| [User Account Control: Allow UIAccess applications to prompt for elevation without using the secure desktop](#user-account-control-allow-uiaccess-applications-to-prompt-for-elevation-without-using-the-secure-desktop) | EnableUIADesktopToggle | Disabled |
| [User Account Control: Behavior of the elevation prompt for administrators in Admin Approval Mode](#user-account-control-behavior-of-the-elevation-prompt-for-administrators-in-admin-approval-mode) | ConsentPromptBehaviorAdmin | Prompt for consent for non-Windows binaries |
-| [User Account Control: Behavior of the elevation prompt for standard users](#user-account-control-behavior-of-the-elevation-prompt-for-standard-users) | ConsentPromptBehaviorUser | Prompt for credentials on the secure desktop |
+| [User Account Control: Behavior of the elevation prompt for standard users](#user-account-control-behavior-of-the-elevation-prompt-for-standard-users) | ConsentPromptBehaviorUser | Prompt for credentials |
| [User Account Control: Detect application installations and prompt for elevation](#user-account-control-detect-application-installations-and-prompt-for-elevation) | EnableInstallerDetection | Enabled (default for home)
Disabled (default for enterprise) |
| [User Account Control: Only elevate executables that are signed and validated](#user-account-control-only-elevate-executables-that-are-signed-and-validated) | ValidateAdminCodeSignatures | Disabled |
| [User Account Control: Only elevate UIAccess applications that are installed in secure locations](#user-account-control-only-elevate-uiaccess-applications-that-are-installed-in-secure-locations) | EnableSecureUIAPaths | Enabled |
@@ -104,8 +104,8 @@ The **User Account Control: Behavior of the elevation prompt for standard users*
The options are:
- **Automatically deny elevation requests.** When an operation requires elevation of privilege, a configurable access denied error message is displayed. An enterprise that is running desktops as standard user may choose this setting to reduce help desk calls.
-- **Prompt for credentials on the secure desktop.** (Default) When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a different user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
-- **Prompt for credentials.** When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
+- **Prompt for credentials on the secure desktop.** When an operation requires elevation of privilege, the user is prompted on the secure desktop to enter a different user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
+- **Prompt for credentials.** (Default) When an operation requires elevation of privilege, the user is prompted to enter an administrative user name and password. If the user enters valid credentials, the operation continues with the applicable privilege.
### User Account Control: Detect application installations and prompt for elevation
diff --git a/windows/security/identity-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md b/windows/security/identity-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md
index bbb6ddc586..907bcfc24c 100644
--- a/windows/security/identity-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md
+++ b/windows/security/identity-protection/vpn/how-to-configure-diffie-hellman-protocol-over-ikev2-vpn-connections.md
@@ -1,5 +1,5 @@
---
-title: How to configure Diffie Hellman protocol over IKEv2 VPN connections (Windows 10)
+title: How to configure Diffie Hellman protocol over IKEv2 VPN connections (Windows 10 and Windows 11)
description: Learn how to update the Diffie Hellman configuration of VPN servers and clients by running VPN cmdlets to secure connections.
ms.prod: w10
ms.mktglfcycl: deploy
@@ -8,16 +8,17 @@ ms.pagetype: security, networking
author: dansimp
ms.author: dansimp
ms.localizationpriority: medium
-ms.date: 02/08/2018
+ms.date: 09/23/2021
ms.reviewer:
manager: dansimp
---
# How to configure Diffie Hellman protocol over IKEv2 VPN connections
->Applies To: Windows Server (Semi-Annual Channel), Windows Server 2016, Windows 10
+>Applies To: Windows Server (Semi-Annual Channel), Windows Server 2016, Windows 10, Windows 11
+
+In IKEv2 VPN connections, the default configuration for Diffie Hellman group is Group 2, which is not secure for IKE exchanges.
-In IKEv2 VPN connections, the default configuration for Diffie Hellman group is Group 2, which is not secure for IKE exchanges.
To secure the connections, update the configuration of VPN servers and clients by running VPN cmdlets.
## VPN server
@@ -28,7 +29,7 @@ For VPN servers that run Windows Server 2012 R2 or later, you need to run [Set-V
Set-VpnServerConfiguration -TunnelType IKEv2 -CustomPolicy
```
-On an earlier versions of Windows Server, run [Set-VpnServerIPsecConfiguration](/previous-versions/windows/powershell-scripting/hh918373(v=wps.620)). Since `Set-VpnServerIPsecConfiguration` doesn’t have `-TunnelType`, the configuration applies to all tunnel types on the server.
+On an earlier version of Windows Server, run [Set-VpnServerIPsecConfiguration](/previous-versions/windows/powershell-scripting/hh918373(v=wps.620)). Since `Set-VpnServerIPsecConfiguration` doesn’t have `-TunnelType`, the configuration applies to all tunnel types on the server.
```powershell
Set-VpnServerIPsecConfiguration -CustomPolicy
diff --git a/windows/security/identity-protection/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md b/windows/security/identity-protection/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md
index 21c295bad1..510a5a9e76 100644
--- a/windows/security/identity-protection/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md
+++ b/windows/security/identity-protection/vpn/how-to-use-single-sign-on-sso-over-vpn-and-wi-fi-connections.md
@@ -1,12 +1,12 @@
---
-title: How to use Single Sign-On (SSO) over VPN and Wi-Fi connections (Windows 10)
+title: How to use Single Sign-On (SSO) over VPN and Wi-Fi connections (Windows 10 and Windows 11)
description: Explains requirements to enable Single Sign-On (SSO) to on-premises domain resources over WiFi or VPN connections.
ms.prod: w10
ms.mktglfcycl: deploy
ms.sitesec: library
ms.pagetype: security
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/23/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
diff --git a/windows/security/identity-protection/vpn/vpn-authentication.md b/windows/security/identity-protection/vpn/vpn-authentication.md
index 2c0a581e8d..77824138a9 100644
--- a/windows/security/identity-protection/vpn/vpn-authentication.md
+++ b/windows/security/identity-protection/vpn/vpn-authentication.md
@@ -1,5 +1,5 @@
---
-title: VPN authentication options (Windows 10)
+title: VPN authentication options (Windows 10 and Windows 11)
description: Learn about the EAP authentication methods that Windows supports in VPNs to provide secure authentication using username/password and certificate-based methods.
ms.prod: w10
ms.mktglfcycl: deploy
@@ -7,7 +7,7 @@ ms.sitesec: library
ms.pagetype: security, networking
author: dansimp
ms.localizationpriority: medium
-ms.date: 07/27/2017
+ms.date: 09/23/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -17,7 +17,7 @@ ms.author: dansimp
**Applies to**
- Windows 10
-- Windows 10 Mobile
+- Windows 11
In addition to older and less-secure password-based authentication methods (which should be avoided), the built-in VPN solution uses Extensible Authentication Protocol (EAP) to provide secure authentication using both user name and password, and certificate-based methods. You can only configure EAP-based authentication if you select a built-in VPN type (IKEv2, L2TP, PPTP or Automatic).
@@ -27,7 +27,7 @@ Windows supports a number of EAP authentication methods.
Method Details EAP-Microsoft Challenge Handshake Authentication Protocol version 2 (EAP-MSCHAPv2) EAP-Transport Layer Security (EAP-TLS) EAP-Transport Layer Security (EAP-TLS) Protected Extensible Authentication Protocol (PEAP) Tunneled Transport Layer Security (TTLS)
-
Network Unlock allows PCs to start automatically when connected to the internal network. |
| When BitLocker is enabled, the provisioning process can take several hours. | BitLocker pre-provisioning, encrypting hard drives, and Used Space Only encryption allow administrators to enable BitLocker quickly on new computers. |
@@ -44,7 +47,7 @@ Table 2 lists specific data-protection concerns and how they are addressed in Wi
## Prepare for drive and file encryption
The best type of security measures are transparent to the user during implementation and use. Every time there is a possible delay or difficulty because of a security feature, there is strong likelihood that users will try to bypass security. This situation is especially true for data protection, and that’s a scenario that organizations need to avoid.
-Whether you’re planning to encrypt entire volumes, removable devices, or individual files, Windows 10 meets your needs by providing streamlined, usable solutions. In fact, you can take several steps in advance to prepare for data encryption and make the deployment quick and smooth.
+Whether you’re planning to encrypt entire volumes, removable devices, or individual files, Windows 11 and Windows 10 meet your needs by providing streamlined, usable solutions. In fact, you can take several steps in advance to prepare for data encryption and make the deployment quick and smooth.
### TPM pre-provisioning
@@ -55,22 +58,22 @@ In Windows 7, preparing the TPM for use offered a couple of challenges:
Basically, it was a big hassle. If IT staff were provisioning new PCs, they could handle all of this, but if you wanted to add BitLocker to devices that were already in users’ hands, those users would have struggled with the technical challenges and would either call IT for support or simply leave BitLocker disabled.
-Microsoft includes instrumentation in Windows 10 that enables the operating system to fully manage the TPM. There is no need to go into the BIOS, and all scenarios that required a restart have been eliminated.
+Microsoft includes instrumentation in Windows 11 and Windows 10 that enable the operating system to fully manage the TPM. There is no need to go into the BIOS, and all scenarios that required a restart have been eliminated.
## Deploy hard drive encryption
-BitLocker is capable of encrypting entire hard drives, including both system and data drives. BitLocker pre-provisioning can drastically reduce the time required to provision new PCs with BitLocker enabled. With Windows 10, administrators can turn on BitLocker and the TPM from within the Windows Preinstallation Environment before they install Windows or as part of an automated deployment task sequence without any user interaction. Combined with Used Disk Space Only encryption and a mostly empty drive (because Windows is not yet installed), it takes only a few seconds to enable BitLocker.
-With earlier versions of Windows, administrators had to enable BitLocker after Windows had been installed. Although this process could be automated, BitLocker would need to encrypt the entire drive, a process that could take anywhere from several hours to more than a day depending on drive size and performance, which significantly delayed deployment. Microsoft has improved this process through multiple features in Windows 10.
+BitLocker is capable of encrypting entire hard drives, including both system and data drives. BitLocker pre-provisioning can drastically reduce the time required to provision new PCs with BitLocker enabled. With Windows 11 and Windows 10, administrators can turn on BitLocker and the TPM from within the Windows Preinstallation Environment before they install Windows or as part of an automated deployment task sequence without any user interaction. Combined with Used Disk Space Only encryption and a mostly empty drive (because Windows is not yet installed), it takes only a few seconds to enable BitLocker.
+With earlier versions of Windows, administrators had to enable BitLocker after Windows had been installed. Although this process could be automated, BitLocker would need to encrypt the entire drive, a process that could take anywhere from several hours to more than a day depending on drive size and performance, which significantly delayed deployment. Microsoft has improved this process through multiple features in Windows 11 and Windows 10.
## BitLocker Device Encryption
-Beginning in Windows 8.1, Windows automatically enables BitLocker Device Encryption on devices that support Modern Standby. With Windows 10, Microsoft offers BitLocker Device Encryption support on a much broader range of devices, including those that are Modern Standby, and devices that run Windows 10 Home edition.
+Beginning in Windows 8.1, Windows automatically enables BitLocker Device Encryption on devices that support Modern Standby. With Windows 11 and Windows 10, Microsoft offers BitLocker Device Encryption support on a much broader range of devices, including those that are Modern Standby, and devices that run Windows 10 Home edition or Windows 11.
Microsoft expects that most devices in the future will pass the testing requirements, which makes BitLocker Device Encryption pervasive across modern Windows devices. BitLocker Device Encryption further protects the system by transparently implementing device-wide data encryption.
Unlike a standard BitLocker implementation, BitLocker Device Encryption is enabled automatically so that the device is always protected. The following list outlines how this happens:
-* When a clean installation of Windows 10 is completed and the out-of-box experience is finished, the computer is prepared for first use. As part of this preparation, BitLocker Device Encryption is initialized on the operating system drive and fixed data drives on the computer with a clear key (this is the equivalent of standard BitLocker suspended state). In this state, the drive is shown with a warning icon in Windows Explorer. The yellow warning icon is removed after the TPM protector is created and the recovery key is backed up, as explained in the following bullet points.
+* When a clean installation of Windows 11 or Windows 10 is completed and the out-of-box experience is finished, the computer is prepared for first use. As part of this preparation, BitLocker Device Encryption is initialized on the operating system drive and fixed data drives on the computer with a clear key (this is the equivalent of standard BitLocker suspended state). In this state, the drive is shown with a warning icon in Windows Explorer. The yellow warning icon is removed after the TPM protector is created and the recovery key is backed up, as explained in the following bullet points.
* If the device is not domain joined, a Microsoft account that has been granted administrative privileges on the device is required. When the administrator uses a Microsoft account to sign in, the clear key is removed, a recovery key is uploaded to the online Microsoft account, and a TPM protector is created. Should a device require the recovery key, the user will be guided to use an alternate device and navigate to a recovery key access URL to retrieve the recovery key by using his or her Microsoft account credentials.
* If the user uses a domain account to sign in, the clear key is not removed until the user joins the device to a domain and the recovery key is successfully backed up to Active Directory Domain Services (AD DS). You must enable the **Computer Configuration\\Administrative Templates\\Windows Components\\BitLocker Drive Encryption\\Operating System Drives** Group Policy setting, and select the **Do not enable BitLocker until recovery information is stored in AD DS for operating system drives** option. With this configuration, the recovery password is created automatically when the computer joins the domain, and then the recovery key is backed up to AD DS, the TPM protector is created, and the clear key is removed.
* Similar to signing in with a domain account, the clear key is removed when the user logs on to an Azure AD account on the device. As described in the bullet point above, the recovery password is created automatically when the user authenticates to Azure AD. Then, the recovery key is backed up to Azure AD, the TPM protector is created, and the clear key is removed.
@@ -88,28 +91,28 @@ Administrators can manage domain-joined devices that have BitLocker Device Encry
## Used Disk Space Only encryption
BitLocker in earlier Windows versions could take a long time to encrypt a drive, because it encrypted every byte on the volume (including parts that did not have data). That is still the most secure way to encrypt a drive, especially if a drive has previously contained confidential data that has since been moved or deleted. In that case, traces of the confidential data could remain on portions of the drive marked as unused.
-But why encrypt a new drive when you can simply encrypt the data as it is being written? To reduce encryption time, BitLocker in Windows 10 lets users choose to encrypt just their data. Depending on the amount of data on the drive, this option can reduce encryption time by more than 99 percent.
+But why encrypt a new drive when you can simply encrypt the data as it is being written? To reduce encryption time, BitLocker in Windows 11 and Windows 10 let users choose to encrypt just their data. Depending on the amount of data on the drive, this option can reduce encryption time by more than 99 percent.
Exercise caution when encrypting only used space on an existing volume on which confidential data may have already been stored in an unencrypted state, however, because those sectors can be recovered through disk-recovery tools until they are overwritten by new encrypted data. In contrast, encrypting only used space on a brand-new volume can significantly decrease deployment time without the security risk because all new data will be encrypted as it is written to the disk.
## Encrypted hard drive support
SEDs have been available for years, but Microsoft couldn’t support their use with some earlier versions of Windows because the drives lacked important key management features. Microsoft worked with storage vendors to improve the hardware capabilities, and now BitLocker supports the next generation of SEDs, which are called encrypted hard drives.
-Encrypted hard drives provide onboard cryptographic capabilities to encrypt data on drives, which improves both drive and system performance by offloading cryptographic calculations from the PC’s processor to the drive itself and rapidly encrypting the drive by using dedicated, purpose-built hardware. If you plan to use whole-drive encryption with Windows 10, Microsoft recommends that you investigate hard drive manufacturers and models to determine whether any of their encrypted hard drives meet your security and budget requirements.
+Encrypted hard drives provide onboard cryptographic capabilities to encrypt data on drives, which improves both drive and system performance by offloading cryptographic calculations from the PC’s processor to the drive itself and rapidly encrypting the drive by using dedicated, purpose-built hardware. If you plan to use whole-drive encryption with Windows 11 or Windows 10, Microsoft recommends that you investigate hard drive manufacturers and models to determine whether any of their encrypted hard drives meet your security and budget requirements.
For more information about encrypted hard drives, see [Encrypted Hard Drive](../encrypted-hard-drive.md).
## Preboot information protection
An effective implementation of information protection, like most security controls, considers usability as well as security. Users typically prefer a simple security experience. In fact, the more transparent a security solution becomes, the more likely users are to conform to it.
It is crucial that organizations protect information on their PCs regardless of the state of the computer or the intent of users. This protection should not be cumbersome to users. One undesirable and previously commonplace situation is when the user is prompted for input during preboot, and then again during Windows logon. Challenging users for input more than once should be avoided.
-Windows 10 can enable a true SSO experience from the preboot environment on modern devices and in some cases even on older devices when robust information protection configurations are in place. The TPM in isolation is able to securely protect the BitLocker encryption key while it is at rest, and it can securely unlock the operating system drive. When the key is in use and thus in memory, a combination of hardware and Windows capabilities can secure the key and prevent unauthorized access through cold-boot attacks. Although other countermeasures like PIN-based unlock are available, they are not as user-friendly; depending on the devices’ configuration they may not offer additional security when it comes to key protection. For more information, see [BitLocker Countermeasures](bitlocker-countermeasures.md).
+Windows 11 and Windows 10 can enable a true SSO experience from the preboot environment on modern devices and in some cases even on older devices when robust information protection configurations are in place. The TPM in isolation is able to securely protect the BitLocker encryption key while it is at rest, and it can securely unlock the operating system drive. When the key is in use and thus in memory, a combination of hardware and Windows capabilities can secure the key and prevent unauthorized access through cold-boot attacks. Although other countermeasures like PIN-based unlock are available, they are not as user-friendly; depending on the devices’ configuration they may not offer additional security when it comes to key protection. For more information, see [BitLocker Countermeasures](bitlocker-countermeasures.md).
## Manage passwords and PINs
When BitLocker is enabled on a system drive and the PC has a TPM, you can choose to require that users type a PIN before BitLocker will unlock the drive. Such a PIN requirement can prevent an attacker who has physical access to a PC from even getting to the Windows logon, which makes it virtually impossible for the attacker to access or modify user data and system files.
Requiring a PIN at startup is a useful security feature because it acts as a second authentication factor (a second “something you know”). This configuration comes with some costs, however. One of the most significant is the need to change the PIN regularly. In enterprises that used BitLocker with Windows 7 and the Windows Vista operating system, users had to contact systems administrators to update their BitLocker PIN or password. This requirement not only increased management costs but made users less willing to change their BitLocker PIN or password on a regular basis.
-Windows 10 users can update their BitLocker PINs and passwords themselves, without administrator credentials. Not only will this feature reduce support costs, but it could improve security, too, because it encourages users to change their PINs and passwords more often. In addition, Modern Standby devices do not require a PIN for startup: They are designed to start infrequently and have other mitigations in place that further reduce the attack surface of the system.
-For more information about how startup security works and the countermeasures that Windows 10 provides, see [Protect BitLocker from pre-boot attacks](./bitlocker-countermeasures.md).
+Windows 11 and Windows 10 users can update their BitLocker PINs and passwords themselves, without administrator credentials. Not only will this feature reduce support costs, but it could improve security, too, because it encourages users to change their PINs and passwords more often. In addition, Modern Standby devices do not require a PIN for startup: They are designed to start infrequently and have other mitigations in place that further reduce the attack surface of the system.
+For more information about how startup security works and the countermeasures that Windows 11 and Windows 10 provide, see [Protect BitLocker from pre-boot attacks](./bitlocker-countermeasures.md).
## Configure Network Unlock
@@ -138,6 +141,6 @@ Part of the Microsoft Desktop Optimization Pack, MBAM makes it easier to manage
* Enforces the BitLocker encryption policy options that you set for your enterprise.
* Integrates with existing management tools, such as Microsoft Endpoint Configuration Manager.
* Offers an IT-customizable recovery user experience.
-* Supports Windows 10.
+* Supports Windows 11 and Windows 10.
For more information about MBAM, including how to obtain it, see [Microsoft BitLocker Administration and Monitoring](/microsoft-desktop-optimization-pack/) on the MDOP TechCenter.
\ No newline at end of file
diff --git a/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md b/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md
index c695b4b77c..25c64a62b1 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-group-policy-settings.md
@@ -22,7 +22,7 @@ ms.custom: bitlocker
**Applies to:**
-- Windows 10, Windows Server 2019, Windows Server 2016, Windows 8.1, and Windows Server 2012 R2
+- Windows 10, Windows 11, Windows Server 2019, Windows Server 2016, Windows 8.1, and Windows Server 2012 R2
This topic for IT professionals describes the function, location, and effect of each Group Policy setting that is used to manage BitLocker Drive Encryption.
@@ -108,7 +108,7 @@ This policy setting allows users on devices that are compliant with Modern Stand
| | |
|:---|:---|
|**Policy description**|With this policy setting, you can allow TPM-only protection for newer, more secure devices, such as devices that support Modern Standby or HSTI, while requiring PIN on older devices.|
-|**Introduced**|Windows 10, version 1703|
+|**Introduced**|Windows 10, version 1703, or Windows 11|
|**Drive type**|Operating system drives|
|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption\Operating System Drives|
|**Conflicts**|This setting overrides the **Require startup PIN with TPM** option of the [Require additional authentication at startup](#bkmk-unlockpol1) policy on compliant hardware.|
@@ -247,8 +247,8 @@ If the PIN is 4 digits, all 9999 possible PIN combinations could be attempted in
Increasing the PIN length requires a greater number of guesses for an attacker.
In that case, the lockout duration between each guess can be shortened to allow legitimate users to retry a failed attempt sooner, while maintaining a similar level of protection.
-Beginning with Windows 10, version 1703, the minimum length for the BitLocker PIN was increased to 6 characters to better align with other Windows features that leverage TPM 2.0, including Windows Hello.
-To help organizations with the transition, beginning with Windows 10, version 1709 and Windows 10, version 1703 with the October 2017 [cumulative update](https://support.microsoft.com/help/4018124) installed, the BitLocker PIN length is 6 characters by default, but it can be reduced to 4 characters.
+Beginning with Windows 10, version 1703, or Windows 11, the minimum length for the BitLocker PIN was increased to 6 characters to better align with other Windows features that leverage TPM 2.0, including Windows Hello.
+To help organizations with the transition, beginning with Windows 10, version 1709 and Windows 10, version 1703 with the October 2017, or Windows 11 [cumulative update](https://support.microsoft.com/help/4018124) installed, the BitLocker PIN length is 6 characters by default, but it can be reduced to 4 characters.
If the minimum PIN length is reduced from the default of six characters, then the TPM 2.0 lockout period will be extended.
### Disable new DMA devices when this computer is locked
@@ -258,7 +258,7 @@ This policy setting allows you to block direct memory access (DMA) for all hot p
| | |
|:---|:---|
|**Policy description**|This setting helps prevent attacks that use external PCI-based devices to access BitLocker keys.|
-|**Introduced**|Windows 10, version 1703|
+|**Introduced**|Windows 10, version 1703, or Windows 11|
|**Drive type**|Operating system drives|
|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption|
|**Conflicts**|None|
@@ -612,7 +612,7 @@ This policy setting is used to control the encryption method and cipher strength
|**Policy path**|Computer Configuration\Administrative Templates\Windows Components\BitLocker Drive Encryption|
|**Conflicts**|None|
|**When enabled**|You can choose an encryption algorithm and key cipher strength for BitLocker to use to encrypt drives.|
-|**When disabled or not configured**|Beginning with Windows 10, version 1511, BitLocker uses the default encryption method of XTS-AES 128-bit or the encryption method that is specified by the setup script. Windows Phone does not support XTS; it uses AES-CBC 128-bit by default and supports AES-CBC 256-bit by policy.|
+|**When disabled or not configured**|Beginning with Windows 10, version 1511, or Windows 11, BitLocker uses the default encryption method of XTS-AES 128-bit or the encryption method that is specified by the setup script. Windows Phone does not support XTS; it uses AES-CBC 128-bit by default and supports AES-CBC 256-bit by policy.|
**Reference**
@@ -621,7 +621,7 @@ Enterprises may want to control the encryption level for increased security (AES
If you enable this setting, you will be able to configure an encryption algorithm and key cipher strength for fixed data drives, operating system drives, and removable data drives individually.
For fixed and operating system drives, we recommend that you use the XTS-AES algorithm.
-For removable drives, you should use AES-CBC 128-bit or AES-CBC 256-bit if the drive will be used in other devices that are not running Windows 10, version 1511 or later.
+For removable drives, you should use AES-CBC 128-bit or AES-CBC 256-bit if the drive will be used in other devices that are not running Windows 10, version 1511 or later, or Windows 11.
Changing the encryption method has no effect if the drive is already encrypted or if encryption is in progress. In these cases, this policy setting is ignored.
@@ -965,7 +965,7 @@ This policy setting is used to configure the entire recovery message and to repl
| | |
|:---|:---|
|**Policy description**|With this policy setting, you can configure the BitLocker recovery screen to display a customized message and URL.|
-|**Introduced**|Windows 10|
+|**Introduced**|Windows|
|**Drive type**|Operating system drives|
|**Policy path**|Computer Configuration \ Administrative Templates \ Windows Components \ BitLocker Drive Encryption \ Operating System Drives \ Configure pre-boot recovery message and URL|
|**Conflicts**|None|
diff --git a/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md b/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md
index 0327b8ec18..5adf857335 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-how-to-enable-network-unlock.md
@@ -21,7 +21,10 @@ ms.custom: bitlocker
# BitLocker: How to enable Network Unlock
**Applies to**
-- Windows 10
+
+- Windows 10
+- Windows 11
+- Windows Server 2016 and above
This article for IT professionals describes how BitLocker Network Unlock works and how to configure it.
diff --git a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md
index 54f967207f..eabe91593f 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-management-for-enterprises.md
@@ -35,11 +35,11 @@ Enterprises can use [Microsoft BitLocker Administration and Monitoring (MBAM)](/
## Managing devices joined to Azure Active Directory
-Devices joined to Azure AD are managed using Mobile Device Management (MDM) policy from an MDM solution such as Microsoft Intune. Without Windows 10, version 1809, only local administrators can enable BitLocker via Intune policy. Starting with Windows 10, version 1809, Intune can enable BitLocker for standard users. [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md#bitlocker-device-encryption) status can be queried from managed machines via the [Policy Configuration Settings Provider (CSP)](/windows/client-management/mdm/policy-configuration-service-provider/), which reports on whether BitLocker Device Encryption is enabled on the device. Compliance with BitLocker Device Encryption policy can be a requirement for [Conditional Access](https://www.microsoft.com/cloud-platform/conditional-access/) to services like Exchange Online and SharePoint Online.
+Devices joined to Azure AD are managed using Mobile Device Management (MDM) policy from an MDM solution such as Microsoft Intune. Without Windows 10, version 1809, or Windows 11, only local administrators can enable BitLocker via Intune policy. Starting with Windows 10, version 1809, or Windows 11, Intune can enable BitLocker for standard users. [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md#bitlocker-device-encryption) status can be queried from managed machines via the [Policy Configuration Settings Provider (CSP)](/windows/client-management/mdm/policy-configuration-service-provider/), which reports on whether BitLocker Device Encryption is enabled on the device. Compliance with BitLocker Device Encryption policy can be a requirement for [Conditional Access](https://www.microsoft.com/cloud-platform/conditional-access/) to services like Exchange Online and SharePoint Online.
-Starting with Windows 10 version 1703 (also known as the Windows Creators Update), the enablement of BitLocker can be triggered over MDM either by the [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider/) or the [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp/). The BitLocker CSP adds policy options that go beyond ensuring that encryption has occurred, and is available on computers that run Windows 10 and on Windows phones.
+Starting with Windows 10 version 1703 (also known as the Windows Creators Update), or Windows 11, the enablement of BitLocker can be triggered over MDM either by the [Policy CSP](/windows/client-management/mdm/policy-configuration-service-provider/) or the [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp/). The BitLocker CSP adds policy options that go beyond ensuring that encryption has occurred, and is available on computers that run Windows 11, Windows 10, and on Windows phones.
-For hardware that is compliant with Modern Standby and HSTI, when using either of these features, [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md#bitlocker-device-encryption) is automatically turned on whenever the user joins a device to Azure AD. Azure AD provides a portal where recovery keys are also backed up, so users can retrieve their own recovery key for self-service, if required. For older devices that are not yet encrypted, beginning with Windows 10 version 1703 (the Windows 10 Creators Update), admins can use the [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp/) to trigger encryption and store the recovery key in Azure AD.
+For hardware that is compliant with Modern Standby and HSTI, when using either of these features, [BitLocker Device Encryption](bitlocker-device-encryption-overview-windows-10.md#bitlocker-device-encryption) is automatically turned on whenever the user joins a device to Azure AD. Azure AD provides a portal where recovery keys are also backed up, so users can retrieve their own recovery key for self-service, if required. For older devices that are not yet encrypted, beginning with Windows 10 version 1703 (the Windows 10 Creators Update), or Windows 11, admins can use the [BitLocker CSP](/windows/client-management/mdm/bitlocker-csp/) to trigger encryption and store the recovery key in Azure AD.
This is applicable to Azure Hybrid AD as well.
@@ -105,7 +105,7 @@ Enable-BitLocker -MountPoint "C:" -EncryptionMethod XtsAes256 -UsedSpaceOnly -Pi
[Microsoft BitLocker Administration and Management (MBAM)](/microsoft-desktop-optimization-pack/mbam-v25/)
-[Overview of BitLocker Device Encryption in Windows 10](bitlocker-device-encryption-overview-windows-10.md#bitlocker-device-encryption)
+[Overview of BitLocker Device Encryption in Windows](bitlocker-device-encryption-overview-windows-10.md#bitlocker-device-encryption)
[BitLocker Group Policy Reference](./bitlocker-group-policy-settings.md)
diff --git a/windows/security/information-protection/bitlocker/bitlocker-overview.md b/windows/security/information-protection/bitlocker/bitlocker-overview.md
index 60ab1074cd..bc8488a920 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-overview.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-overview.md
@@ -21,7 +21,10 @@ ms.custom: bitlocker
# BitLocker
**Applies to**
-- Windows 10
+
+- Windows 10
+- Windows 11
+- Windows Server 2016 and above
This topic provides a high-level overview of BitLocker, including a list of system requirements, practical applications, and deprecated features.
@@ -49,7 +52,7 @@ BitLocker control panel, and they are appropriate to use for automated deploymen
## New and changed functionality
-To find out what's new in BitLocker for Windows 10, such as support for the XTS-AES encryption algorithm, see the [BitLocker](/windows/whats-new/whats-new-windows-10-version-1507-and-1511#bitlocker) section in "What's new in Windows 10."
+To find out what's new in BitLocker for Windows, such as support for the XTS-AES encryption algorithm, see the [BitLocker](/windows/whats-new/whats-new-windows-10-version-1507-and-1511#bitlocker) section in "What's new in Windows 10."
## System requirements
@@ -66,7 +69,7 @@ The system BIOS or UEFI firmware (for TPM and non-TPM computers) must support th
> [!NOTE]
> TPM 2.0 is not supported in Legacy and CSM Modes of the BIOS. Devices with TPM 2.0 must have their BIOS mode configured as Native UEFI only. The Legacy and Compatibility Support Module (CSM) options must be disabled. For added security Enable the Secure Boot feature.
-
+>
> Installed Operating System on hardware in legacy mode will stop the OS from booting when the BIOS mode is changed to UEFI. Use the tool [MBR2GPT](/windows/deployment/mbr-to-gpt) before changing the BIOS mode which will prepare the OS and the disk to support UEFI.
The hard disk must be partitioned with at least two drives:
@@ -84,7 +87,7 @@ When installing the BitLocker optional component on a server you will also need
| Topic | Description |
| - | - |
-| [Overview of BitLocker Device Encryption in Windows 10](bitlocker-device-encryption-overview-windows-10.md) | This topic for the IT professional provides an overview of the ways that BitLocker Device Encryption can help protect data on devices running Windows 10. |
+| [Overview of BitLocker Device Encryption in Windows](bitlocker-device-encryption-overview-windows-10.md) | This topic for the IT professional provides an overview of the ways that BitLocker Device Encryption can help protect data on devices running Windows. |
| [BitLocker frequently asked questions (FAQ)](bitlocker-frequently-asked-questions.yml) | This topic for the IT professional answers frequently asked questions concerning the requirements to use, upgrade, deploy and administer, and key management policies for BitLocker.|
| [Prepare your organization for BitLocker: Planning and policies](prepare-your-organization-for-bitlocker-planning-and-policies.md)| This topic for the IT professional explains how can you plan your BitLocker deployment. |
| [BitLocker basic deployment](bitlocker-basic-deployment.md) | This topic for the IT professional explains how BitLocker features can be used to protect your data through drive encryption. |
@@ -95,7 +98,7 @@ When installing the BitLocker optional component on a server you will also need
| [BitLocker Group Policy settings](bitlocker-group-policy-settings.md) | This topic for IT professionals describes the function, location, and effect of each Group Policy setting that is used to manage BitLocker. |
| [BCD settings and BitLocker](bcd-settings-and-bitlocker.md) | This topic for IT professionals describes the BCD settings that are used by BitLocker.|
| [BitLocker Recovery Guide](bitlocker-recovery-guide-plan.md)| This topic for IT professionals describes how to recover BitLocker keys from AD DS. |
-| [Protect BitLocker from pre-boot attacks](./bitlocker-countermeasures.md)| This detailed guide will help you understand the circumstances under which the use of pre-boot authentication is recommended for devices running Windows 10, Windows 8.1, Windows 8, or Windows 7; and when it can be safely omitted from a device’s configuration. |
+| [Protect BitLocker from pre-boot attacks](./bitlocker-countermeasures.md)| This detailed guide will help you understand the circumstances under which the use of pre-boot authentication is recommended for devices running Windows 11, Windows 10, Windows 8.1, Windows 8, or Windows 7; and when it can be safely omitted from a device’s configuration. |
| [Troubleshoot BitLocker](troubleshoot-bitlocker.md) | This guide describes the resources that can help you troubleshoot BitLocker issues, and provides solutions for several common BitLocker issues. |
| [Protecting cluster shared volumes and storage area networks with BitLocker](protecting-cluster-shared-volumes-and-storage-area-networks-with-bitlocker.md)| This topic for IT pros describes how to protect CSVs and SANs with BitLocker.|
-| [Enabling Secure Boot and BitLocker Device Encryption on Windows 10 IoT Core](/windows/iot-core/secure-your-device/SecureBootAndBitLocker) | This topic covers how to use BitLocker with Windows 10 IoT Core |
\ No newline at end of file
+| [Enabling Secure Boot and BitLocker Device Encryption on Windows IoT Core](/windows/iot-core/secure-your-device/SecureBootAndBitLocker) | This topic covers how to use BitLocker with Windows IoT Core |
\ No newline at end of file
diff --git a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md
index a72324edf4..bc39c1121d 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-recovery-guide-plan.md
@@ -22,7 +22,9 @@ ms.custom: bitlocker
**Applies to:**
-- Windows 10
+- Windows 10
+- Windows 11
+- Windows Server 2016 and above
This article for IT professionals describes how to recover BitLocker keys from AD DS.
@@ -123,7 +125,7 @@ Before you create a thorough BitLocker recovery process, we recommend that you t
When planning the BitLocker recovery process, first consult your organization's current best practices for recovering sensitive information. For example: How does your enterprise handle lost Windows passwords? How does your organization perform smart card PIN resets? You can use these best practices and related resources (people and tools) to help formulate a BitLocker recovery model.
-Organizations that rely on BitLocker Drive Encryption and BitLocker To Go to protect data on a large number of computers and removable drives running the Windows 10, Windows 8, or Windows 7 operating systems and Windows to Go should consider using the Microsoft BitLocker Administration and Monitoring (MBAM) Tool version 2.0, which is included in the Microsoft Desktop Optimization Pack (MDOP) for Microsoft Software Assurance. MBAM makes BitLocker implementations easier to deploy and manage and allows administrators to provision and monitor encryption for operating system and fixed drives. MBAM prompts the user before encrypting fixed drives. MBAM also manages recovery keys for fixed and removable drives, making recovery easier to manage. MBAM can be used as part of a Microsoft System Center deployment or as a stand-alone solution. For more info, see [Microsoft BitLocker Administration and Monitoring](/microsoft-desktop-optimization-pack/mbam-v25/).
+Organizations that rely on BitLocker Drive Encryption and BitLocker To Go to protect data on a large number of computers and removable drives running the Windows 11, Windows 10, Windows 8, or Windows 7 operating systems and Windows to Go should consider using the Microsoft BitLocker Administration and Monitoring (MBAM) Tool version 2.0, which is included in the Microsoft Desktop Optimization Pack (MDOP) for Microsoft Software Assurance. MBAM makes BitLocker implementations easier to deploy and manage and allows administrators to provision and monitor encryption for operating system and fixed drives. MBAM prompts the user before encrypting fixed drives. MBAM also manages recovery keys for fixed and removable drives, making recovery easier to manage. MBAM can be used as part of a Microsoft System Center deployment or as a stand-alone solution. For more info, see [Microsoft BitLocker Administration and Monitoring](/microsoft-desktop-optimization-pack/mbam-v25/).
After a BitLocker recovery has been initiated, users can use a recovery password to unlock access to encrypted data. Consider both self-recovery and recovery password retrieval methods for your organization.
@@ -291,7 +293,7 @@ During BitLocker recovery, Windows can display a custom recovery message and hin
### Custom recovery message
-BitLocker Group Policy settings in Windows 10, version 1511, let you configure a custom recovery message and URL on the BitLocker recovery screen, which can include the address of the BitLocker self-service recovery portal, the IT internal website, or a phone number for support.
+BitLocker Group Policy settings in Windows 10, version 1511, or Windows 11, let you configure a custom recovery message and URL on the BitLocker recovery screen, which can include the address of the BitLocker self-service recovery portal, the IT internal website, or a phone number for support.
This policy can be configured using GPO under **Computer Configuration** > **Administrative Templates** > **Windows Components** > **BitLocker Drive Encryption** > **Operating System Drives** > **Configure pre-boot recovery message and URL**.
@@ -307,7 +309,7 @@ Example of customized recovery screen:
### BitLocker recovery key hints
-BitLocker metadata has been enhanced in Windows 10, version 1903 to include information about when and where the BitLocker recovery key was backed up. This information is not exposed through the UI or any public API. It is used solely by the BitLocker recovery screen in the form of hints to help a user locate a volume's recovery key. Hints are displayed on the recovery screen and refer to the location where the key has been saved. Hints are displayed on both the modern (blue) and legacy (black) recovery screen. This applies to both the boot manager recovery screen and the WinRE unlock screen.
+BitLocker metadata has been enhanced in Windows 10, version 1903 or Windows 11 to include information about when and where the BitLocker recovery key was backed up. This information is not exposed through the UI or any public API. It is used solely by the BitLocker recovery screen in the form of hints to help a user locate a volume's recovery key. Hints are displayed on the recovery screen and refer to the location where the key has been saved. Hints are displayed on both the modern (blue) and legacy (black) recovery screen. This applies to both the boot manager recovery screen and the WinRE unlock screen.
diff --git a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md b/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md
index e8045e225c..a4bc245136 100644
--- a/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md
+++ b/windows/security/information-protection/bitlocker/bitlocker-use-bitlocker-drive-encryption-tools-to-manage-bitlocker.md
@@ -21,7 +21,10 @@ ms.custom: bitlocker
# BitLocker: Use BitLocker Drive Encryption Tools to manage BitLocker
**Applies to**
-- Windows 10
+
+- Windows 10
+- Windows 11
+- Windows Server 2016 and above
This article for the IT professional describes how to use tools to manage BitLocker.
@@ -61,7 +64,8 @@ manage-bde –protectors -add C: -startupkey E:
manage-bde -on C:
```
->**Note:** After the encryption is completed, the USB startup key must be inserted before the operating system can be started.
+> [!NOTE]
+> After the encryption is completed, the USB startup key must be inserted before the operating system can be started.
An alternative to the startup key protector on non-TPM hardware is to use a password and an **ADaccountorgroup** protector to protect the operating system volume. In this scenario, you would add the protectors first. To add them, use this command:
@@ -99,7 +103,8 @@ You may experience a problem that damages an area of a hard disk on which BitLoc
The BitLocker Repair Tool (Repair-bde) can be used to access encrypted data on a severely damaged hard disk if the drive was encrypted by using BitLocker. Repair-bde can reconstruct critical parts of the drive and salvage recoverable data as long as a valid recovery password or recovery key is used to decrypt the data. If the BitLocker metadata data on the drive has become corrupt, you must be able to supply a backup key package in addition to the recovery password or recovery key. This key package is backed up in Active Directory Domain Services (AD DS) if you used the default setting for AD DS backup. With this key package and either the recovery password or recovery key, you can decrypt portions of a BitLocker-protected drive if the disk is corrupted. Each key package will work only for a drive that has the corresponding drive identifier. You can use the BitLocker Recovery Password Viewer to obtain this key package from AD DS.
->**Tip:** If you are not backing up recovery information to AD DS or if you want to save key packages alternatively, you can use the command `manage-bde -KeyPackage` to generate a key package for a volume.
+> [!TIP]
+> If you are not backing up recovery information to AD DS or if you want to save key packages alternatively, you can use the command `manage-bde -KeyPackage` to generate a key package for a volume.
The Repair-bde command-line tool is intended for use when the operating system does not start or when you cannot start the BitLocker Recovery Console. Use Repair-bde if the following conditions are true:
@@ -107,7 +112,8 @@ The Repair-bde command-line tool is intended for use when the operating system d
- Windows does not start, or you cannot start the BitLocker recovery console.
- You do not have a copy of the data that is contained on the encrypted drive.
->**Note:** Damage to the drive may not be related to BitLocker. Therefore, we recommend that you try other tools to help diagnose and resolve the problem with the drive before you use the BitLocker Repair Tool. The Windows Recovery Environment (Windows RE) provides additional options to repair computers.
+> [!NOTE]
+> Damage to the drive may not be related to BitLocker. Therefore, we recommend that you try other tools to help diagnose and resolve the problem with the drive before you use the BitLocker Repair Tool. The Windows Recovery Environment (Windows RE) provides additional options to repair computers.
The following limitations exist for Repair-bde:
@@ -127,8 +133,8 @@ Windows PowerShell cmdlets provide a new way for administrators to use when work
-
Get-BitLockerVolume cmdlet.
+
The Get-BitLockerVolume cmdlet output gives information on the volume type, protectors, protection status, and other details.
->**Tip:** Occasionally, all protectors may not be shown when using `Get-BitLockerVolume` due to lack of space in the output display. If you do not see all of the protectors for a volume, you can use the Windows PowerShell pipe command (|) to format a full listing of the protectors.
+> [!TIP]
+> Occasionally, all protectors may not be shown when using `Get-BitLockerVolume` due to lack of space in the output display. If you do not see all of the protectors for a volume, you can use the Windows PowerShell pipe command (|) to format a full listing of the protectors.
`Get-BitLockerVolume C: | fl`
If you want to remove the existing protectors prior to provisioning BitLocker on the volume, you could use the `Remove-BitLockerKeyProtector` cmdlet. Accomplishing this requires the GUID associated with the protector to be removed.
@@ -271,7 +280,8 @@ By using this information, you can then remove the key protector for a specific
Remove-BitLockerKeyProtector
-Although some of the aforementioned features have additional hardware requirements (e.g., virtualization support), the TPM is a cornerstone of Windows 10 security. Microsoft and other industry stakeholders continue to improve the global standards associated with TPM and find more and more applications that use it to provide tangible benefits to customers. Microsoft has included support for most TPM features in its version of Windows for the Internet of Things (IoT) called [Windows 10 IoT Core](https://developer.microsoft.com/windows/iot/iotcore). IoT devices that might be deployed in insecure physical locations and connected to cloud services like [Azure IoT Hub](https://azure.microsoft.com/documentation/services/iot-hub/) for management can use the TPM in innovative ways to address their emerging security requirements.
+Although some of the aforementioned features have additional hardware requirements (e.g., virtualization support), the TPM is a cornerstone of Windows security. Microsoft and other industry stakeholders continue to improve the global standards associated with TPM and find more and more applications that use it to provide tangible benefits to customers. Microsoft has included support for most TPM features in its version of Windows for the Internet of Things (IoT) called [Windows IoT Core](https://developer.microsoft.com/windows/iot/iotcore). IoT devices that might be deployed in insecure physical locations and connected to cloud services like [Azure IoT Hub](https://azure.microsoft.com/documentation/services/iot-hub/) for management can use the TPM in innovative ways to address their emerging security requirements.
diff --git a/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md b/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md
index e2bdcc7c8a..bb72304f8c 100644
--- a/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md
+++ b/windows/security/information-protection/tpm/initialize-and-configure-ownership-of-the-tpm.md
@@ -1,6 +1,6 @@
---
-title: Troubleshoot the TPM (Windows 10)
-description: This topic for the IT professional describes how to view status for, clear, or troubleshoot the Trusted Platform Module (TPM).
+title: Troubleshoot the TPM (Windows)
+description: This article for the IT professional describes how to view status for, clear, or troubleshoot the Trusted Platform Module (TPM).
ms.assetid: 1166efaf-7aa3-4420-9279-435d9c6ac6f8
ms.reviewer:
ms.prod: w10
@@ -13,46 +13,47 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 09/11/2018
+ms.date: 09/06/2021
---
# Troubleshoot the TPM
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
-This topic provides information for the IT professional to troubleshoot the Trusted Platform Module (TPM):
+This article provides information for the IT professional to troubleshoot the Trusted Platform Module (TPM):
- [Troubleshoot TPM initialization](#troubleshoot-tpm-initialization)
- [Clear all the keys from the TPM](#clear-all-the-keys-from-the-tpm)
-With TPM 1.2 and Windows 10, version 1507 or 1511, you can also take the following actions:
+With TPM 1.2 and Windows 10, version 1507 or 1511, or Windows 11, you can also take the following actions:
- [Turn on or turn off the TPM](#turn-on-or-turn-off)
-For information about the TPM cmdlets, see [TPM Cmdlets in Windows PowerShell](/powershell/module/trustedplatformmodule/?view=win10-ps).
+For information about the TPM cmdlets, see [TPM Cmdlets in Windows PowerShell](/powershell/module/trustedplatformmodule/?view=win10-ps&preserve-view=true).
## About TPM initialization and ownership
-Starting with Windows 10, the operating system automatically initializes and takes ownership of the TPM. This is a change from previous operating systems, where you would initialize the TPM and create an owner password.
+Starting with Windows 10 and Windows 11, the operating system automatically initializes and takes ownership of the TPM. This is a change from previous operating systems, where you would initialize the TPM and create an owner password.
## Troubleshoot TPM initialization
If you find that Windows is not able to initialize the TPM automatically, review the following information:
-- You can try clearing the TPM to the factory default values and allowing Windows to re-initialize it. For important precautions for this process, and instructions for completing it, see [Clear all the keys from the TPM](#clear-all-the-keys-from-the-tpm), later in this topic.
+- You can try clearing the TPM to the factory default values and allowing Windows to re-initialize it. For important precautions for this process, and instructions for completing it, see [Clear all the keys from the TPM](#clear-all-the-keys-from-the-tpm), later in this article.
- If the TPM is a TPM 2.0 and is not detected by Windows, verify that your computer hardware contains a Unified Extensible Firmware Interface (UEFI) that is Trusted Computing Group-compliant. Also, ensure that in the UEFI settings, the TPM has not been disabled or hidden from the operating system.
-- If you have TPM 1.2 with Windows 10, version 1507 or 1511, the TPM might be turned off, and need to be turned back on, as described in [Turn on the TPM](#turn-on-the-tpm). When it is turned back on, Windows will re-initialize it.
+- If you have TPM 1.2 with Windows 10, version 1507 or 1511, or Windows 11, the TPM might be turned off, and need to be turned back on, as described in [Turn on the TPM](#turn-on-the-tpm). When it is turned back on, Windows will re-initialize it.
- If you are attempting to set up BitLocker with the TPM, check which TPM driver is installed on the computer. We recommend always using one of the TPM drivers that is provided by Microsoft and is protected with BitLocker. If a non-Microsoft TPM driver is installed, it may prevent the default TPM driver from loading and cause BitLocker to report that a TPM is not present on the computer. If you have a non-Microsoft driver installed, remove it and then allow the operating system to initialize the TPM.
-### Troubleshoot network connection issues for Windows 10, versions 1507 and 1511
+### Troubleshoot network connection issues for Windows 10, versions 1507 and 1511, or Windows 11
-If you have Windows 10, version 1507 or 1511, the initialization of the TPM cannot complete when your computer has network connection issues and both of the following conditions exist:
+If you have Windows 10, version 1507 or 1511, or Windows 11, the initialization of the TPM cannot complete when your computer has network connection issues and both of the following conditions exist:
- An administrator has configured your computer to require that TPM recovery information be saved in Active Directory Domain Services (AD DS). This requirement can be configured through Group Policy.
@@ -62,7 +63,7 @@ If these issues occur, an error message appears, and you cannot complete the ini
### Troubleshoot systems with multiple TPMs
-Some systems may have multiple TPMs and the active TPM may be toggled in UEFI. Windows 10 does not support this behavior. If you switch TPMs, Windows might not properly detect or interact with the new TPM. If you plan to switch TPMs you should toggle to the new TPM, clear it, and reinstall Windows. For more information, see [Clear all the keys from the TPM](#clear-all-the-keys-from-the-tpm), later in this topic.
+Some systems may have multiple TPMs and the active TPM may be toggled in UEFI. Windows does not support this behavior. If you switch TPMs, Windows might not properly detect or interact with the new TPM. If you plan to switch TPMs you should toggle to the new TPM, clear it, and reinstall Windows. For more information, see [Clear all the keys from the TPM](#clear-all-the-keys-from-the-tpm), later in this article.
For example, toggling TPMs will cause BitLocker to enter recovery mode. We strongly recommend that, on systems with two TPMs, one TPM is selected to be used and the selection is not changed.
@@ -70,7 +71,7 @@ For example, toggling TPMs will cause BitLocker to enter recovery mode. We stron
You can use the Windows Defender Security Center app to clear the TPM as a troubleshooting step, or as a final preparation before a clean installation of a new operating system. Preparing for a clean installation in this way helps ensure that the new operating system can fully deploy any TPM-based functionality that it includes, such as attestation. However, even if the TPM is not cleared before a new operating system is installed, most TPM functionality will probably work correctly.
-Clearing the TPM resets it to an unowned state. After you clear the TPM, the Windows 10 operating system will automatically re-initialize it and take ownership again.
+Clearing the TPM resets it to an unowned state. After you clear the TPM, the Windows operating system will automatically re-initialize it and take ownership again.
> [!WARNING]
> Clearing the TPM can result in data loss. For more information, see the next section, “Precautions to take before clearing the TPM.”
@@ -79,11 +80,11 @@ Clearing the TPM resets it to an unowned state. After you clear the TPM, the Win
Clearing the TPM can result in data loss. To protect against such loss, review the following precautions:
-- Clearing the TPM causes you to lose all created keys associated with the TPM, and data protected by those keys, such as a virtual smart card or a login PIN. Make sure that you have a backup and recovery method for any data that is protected or encrypted by the TPM.
+- Clearing the TPM causes you to lose all created keys associated with the TPM, and data protected by those keys, such as a virtual smart card or a sign in PIN. Make sure that you have a backup and recovery method for any data that is protected or encrypted by the TPM.
- Do not clear the TPM on a device you do not own, such as a work or school PC, without being instructed to do so by your IT administrator.
-- If you want to temporarily suspend TPM operations and you have TPM 1.2 with Windows 10, version 1507 or 1511, you can turn off the TPM. For more information, see [Turn off the TPM](#turn-off-the-tpm), later in this topic.
+- If you want to temporarily suspend TPM operations and you have TPM 1.2 with Windows 10, version 1507 or 1511, or Windows 11, you can turn off the TPM. For more information, see [Turn off the TPM](#turn-off-the-tpm), later in this article.
- Always use functionality in the operating system (such as TPM.msc) to the clear the TPM. Do not clear the TPM directly from UEFI.
@@ -95,19 +96,19 @@ Membership in the local Administrators group, or equivalent, is the minimum requ
1. Open the Windows Defender Security Center app.
-2. Click **Device security**.
+2. Select **Device security**.
-3. Click **Security processor details**.
+3. Select **Security processor details**.
-4. Click **Security processor troubleshooting**.
+4. Select **Security processor troubleshooting**.
-5. Click **Clear TPM**.
+5. Select **Clear TPM**.
6. You will be prompted to restart the computer. During the restart, you might be prompted by the UEFI to press a button to confirm that you wish to clear the TPM.
-7. After the PC restarts, your TPM will be automatically prepared for use by Windows 10.
+7. After the PC restarts, your TPM will be automatically prepared for use by Windows.
-## Turn on or turn off the TPM (available only with TPM 1.2 with Windows 10, version 1507 or 1511)
+## Turn on or turn off the TPM (available only with TPM 1.2 with Windows 10, version 1507 and higher)
Normally, the TPM is turned on as part of the TPM initialization process. You do not normally need to turn the TPM on or off. However, if necessary you can do so by using the TPM MMC.
@@ -115,13 +116,13 @@ Normally, the TPM is turned on as part of the TPM initialization process. You do
If you want to use the TPM after you have turned it off, you can use the following procedure to turn on the TPM.
-**To turn on the TPM (TPM 1.2 with Windows 10, version 1507 or 1511 only)**
+**To turn on the TPM (TPM 1.2 with Windows 10, version 1507 and higher)**
1. Open the TPM MMC (tpm.msc).
-2. In the **Action** pane, click **Turn TPM On** to display the **Turn on the TPM Security Hardware** page. Read the instructions on this page.
+2. In the **Action** pane, select **Turn TPM On** to display the **Turn on the TPM Security Hardware** page. Read the instructions on this page.
-3. Click **Shutdown** (or **Restart**), and then follow the UEFI screen prompts.
+3. Select **Shutdown** (or **Restart**), and then follow the UEFI screen prompts.
After the computer restarts, but before you sign in to Windows, you will be prompted to accept the reconfiguration of the TPM. This ensures that the user has physical access to the computer and that malicious software is not attempting to make changes to the TPM.
@@ -129,24 +130,24 @@ If you want to use the TPM after you have turned it off, you can use the followi
If you want to stop using the services that are provided by the TPM, you can use the TPM MMC to turn off the TPM.
-**To turn off the TPM (TPM 1.2 with Windows 10, version 1507 or 1511 only)**
+**To turn off the TPM (TPM 1.2 with Windows 10, version 1507 and higher)**
1. Open the TPM MMC (tpm.msc).
-2. In the **Action** pane, click **Turn TPM Off** to display the **Turn off the TPM security hardware** page.
+2. In the **Action** pane, select **Turn TPM Off** to display the **Turn off the TPM security hardware** page.
3. In the **Turn off the TPM security hardware** dialog box, select a method to enter your owner password and turning off the TPM:
- - If you saved your TPM owner password on a removable storage device, insert it, and then click **I have the owner password file**. In the **Select backup file with the TPM owner password** dialog box, click **Browse** to locate the .tpm file that is saved on your removable storage device, click **Open**, and then click **Turn TPM Off**.
+ - If you saved your TPM owner password on a removable storage device, insert it, and then select **I have the owner password file**. In the **Select backup file with the TPM owner password** dialog box, select **Browse** to locate the .tpm file that is saved on your removable storage device, select **Open**, and then select **Turn TPM Off**.
- - If you do not have the removable storage device with your saved TPM owner password, click **I want to enter the password**. In the **Type your TPM owner password** dialog box, type your password (including hyphens), and then click **Turn TPM Off**.
+ - If you do not have the removable storage device with your saved TPM owner password, select **I want to enter the password**. In the **Type your TPM owner password** dialog box, type your password (including hyphens), and then select **Turn TPM Off**.
- - If you did not save your TPM owner password or no longer know it, click **I do not have the TPM owner password**, and follow the instructions that are provided in the dialog box and subsequent UEFI screens to turn off the TPM without entering the password.
+ - If you did not save your TPM owner password or no longer know it, select **I do not have the TPM owner password**, and follow the instructions that are provided in the dialog box and subsequent UEFI screens to turn off the TPM without entering the password.
## Use the TPM cmdlets
-You can manage the TPM using Windows PowerShell. For details, see [TPM Cmdlets in Windows PowerShell](/powershell/module/trustedplatformmodule/?view=win10-ps).
+You can manage the TPM using Windows PowerShell. For details, see [TPM Cmdlets in Windows PowerShell](/powershell/module/trustedplatformmodule/?view=win10-ps&preserve-view=true).
-## Related topics
+## Related articles
-- [Trusted Platform Module](trusted-platform-module-top-node.md) (list of topics)
\ No newline at end of file
+- [Trusted Platform Module](trusted-platform-module-top-node.md) (list of articles)
diff --git a/windows/security/information-protection/tpm/manage-tpm-commands.md b/windows/security/information-protection/tpm/manage-tpm-commands.md
index af241069fd..23fb8a8789 100644
--- a/windows/security/information-protection/tpm/manage-tpm-commands.md
+++ b/windows/security/information-protection/tpm/manage-tpm-commands.md
@@ -1,5 +1,5 @@
---
-title: Manage TPM commands (Windows 10)
+title: Manage TPM commands (Windows)
description: This topic for the IT professional describes how to manage which Trusted Platform Module (TPM) commands are available to domain users and to local users.
ms.assetid: a78e751a-2806-43ae-9c20-2e7ca466b765
ms.reviewer:
@@ -13,14 +13,15 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 11/30/2017
+ms.date: 09/06/2021
---
# Manage TPM commands
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
This topic for the IT professional describes how to manage which Trusted Platform Module (TPM) commands are available to domain users and to local users.
@@ -78,7 +79,7 @@ The following procedures describe how to manage the TPM command lists. You must
## Use the TPM cmdlets
-You can manage the TPM using Windows PowerShell. For details, see [TrustedPlatformModule PowerShell cmdlets](/powershell/module/trustedplatformmodule/?view=win10-ps).
+You can manage the TPM using Windows PowerShell. For details, see [TrustedPlatformModule PowerShell cmdlets](/powershell/module/trustedplatformmodule/?view=win10-ps&preserve-view=true).
## Related topics
diff --git a/windows/security/information-protection/tpm/manage-tpm-lockout.md b/windows/security/information-protection/tpm/manage-tpm-lockout.md
index 8991e9b48b..fe1fb8255c 100644
--- a/windows/security/information-protection/tpm/manage-tpm-lockout.md
+++ b/windows/security/information-protection/tpm/manage-tpm-lockout.md
@@ -1,5 +1,5 @@
---
-title: Manage TPM lockout (Windows 10)
+title: Manage TPM lockout (Windows)
description: This topic for the IT professional describes how to manage the lockout feature for the Trusted Platform Module (TPM) in Windows.
ms.assetid: bf27adbe-404c-4691-a644-29ec722a3f7b
ms.reviewer:
@@ -13,13 +13,14 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 05/02/2017
+ms.date: 09/06/2021
---
# Manage TPM lockout
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
This topic for the IT professional describes how to manage the lockout feature for the Trusted Platform Module (TPM) in Windows.
@@ -37,14 +38,14 @@ The industry standards from the Trusted Computing Group (TCG) specify that TPM m
**TPM 2.0**
-TPM 2.0 devices have standardized lockout behavior which is configured by Windows. TPM 2.0 devices have a maximum count threshold and a healing time. Windows 10 configures the maximum count to be 32 and the healing time to be 10 minutes. This means that every continuous ten minutes of powered on operation without an event which increases the counter will cause the counter to decrease by 1.
+TPM 2.0 devices have standardized lockout behavior, which is configured by Windows. TPM 2.0 devices have a maximum count threshold and a healing time. Windows configures the maximum count to be 32 and the healing time to be 10 minutes. This means that every continuous ten minutes of powered on operation without an event, which increases the counter will cause the counter to decrease by 1.
-If your TPM has entered lockout mode or is responding slowly to commands, you can reset the lockout value by using the following procedures. Resetting the TPM lockout requires the TPM owner’s authorization. This value is no longer retained by default starting with Windows 10 version 1607.
+If your TPM has entered lockout mode or is responding slowly to commands, you can reset the lockout value by using the following procedures. Resetting the TPM lockout requires the TPM owner’s authorization. This value is no longer retained by default starting with Windows 10 version 1607 and higher.
## Reset the TPM lockout by using the TPM MMC
> [!NOTE]
-> This procedure is only available if you have configured Windows to retain the TPM Owner Password. By default, this password is not available in Windows 10 starting with version 1607.
+> This procedure is only available if you have configured Windows to retain the TPM Owner Password. By default, this password is not available in Windows 10 starting with version 1607 and higher.
The following procedure explains the steps to reset the TPM lockout by using the TPM MMC.
diff --git a/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md b/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md
index fed9817bba..f2c79979ef 100644
--- a/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md
+++ b/windows/security/information-protection/tpm/switch-pcr-banks-on-tpm-2-0-devices.md
@@ -1,5 +1,5 @@
---
-title: Understanding PCR banks on TPM 2.0 devices (Windows 10)
+title: Understanding PCR banks on TPM 2.0 devices (Windows)
description: This topic for the IT professional provides background about what happens when you switch PCR banks on TPM 2.0 devices.
ms.assetid: 743FCCCB-99A9-4636-8F48-9ECB3A3D10DE
ms.reviewer:
@@ -13,14 +13,15 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/19/2017
+ms.date: 09/06/2021
---
# Understanding PCR banks on TPM 2.0 devices
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
For steps on how to switch PCR banks on TPM 2.0 devices on your PC, you should contact your OEM or UEFI vendor. This topic provides background about what happens when you switch PCR banks on TPM 2.0 devices.
@@ -35,9 +36,9 @@ The [TCG PC Client Platform TPM Profile Specification](http://www.trustedcomputi
Some TPM PCRs are used as checksums of log events. The log events are extended in the TPM as the events occur. Later, an auditor can validate the logs by computing the expected PCR values from the log and comparing them to the PCR values of the TPM. Since the first 16 TPM PCRs cannot be modified arbitrarily, a match between an expected PCR value in that range and the actual TPM PCR value provides assurance of an unmodified log.
-## How does Windows 10 use PCRs?
+## How does Windows use PCRs?
-To bind the use of a TPM based key to a certain state of the PC, the key can be sealed to an expected set of PCR values. For instance, PCRs 0 through 7 have a well-defined value after the boot process – when the OS is loaded. When the hardware, firmware, or boot loader of the machine changes, the change can be detected in the PCR values. Windows 10 uses this capability to make certain cryptographic keys only available at certain times during the boot process. For instance, the BitLocker key can be used at a certain point in the boot, but not before or after.
+To bind the use of a TPM based key to a certain state of the PC, the key can be sealed to an expected set of PCR values. For instance, PCRs 0 through 7 have a well-defined value after the boot process – when the OS is loaded. When the hardware, firmware, or boot loader of the machine changes, the change can be detected in the PCR values. Windows uses this capability to make certain cryptographic keys only available at certain times during the boot process. For instance, the BitLocker key can be used at a certain point in the boot, but not before or after.
It is important to note that this binding to PCR values also includes the hashing algorithm used for the PCR. For instance, a key can be bound to a specific value of the SHA-1 PCR\[12\], if using SHA-256 PCR banks, even with the same system configuration. Otherwise, the PCR values will not match.
@@ -45,7 +46,7 @@ It is important to note that this binding to PCR values also includes the hashin
When the PCR banks are switched, the algorithm used to compute the hashed values stored in the PCRs during extend operations is changed. Each hash algorithm will return a different cryptographic signature for the same inputs.
-As a result, if the currently used PCR bank is switched all keys that have been bound to the previous PCR values will no longer work. For example, if you had a key bound to the SHA-1 value of PCR\[12\] and subsequently changed the PCR banks to SHA-256, the banks wouldn’t match, and you would be unable to use that key. The BitLocker key is secured using the PCR banks and Windows 10 will not be able to unseal it if the PCR banks are switched while BitLocker is enabled.
+As a result, if the currently used PCR bank is switched all keys that have been bound to the previous PCR values will no longer work. For example, if you had a key bound to the SHA-1 value of PCR\[12\] and subsequently changed the PCR banks to SHA-256, the banks wouldn’t match, and you would be unable to use that key. The BitLocker key is secured using the PCR banks and Windows will not be able to unseal it if the PCR banks are switched while BitLocker is enabled.
## What can I do to switch PCRs when BitLocker is already active?
diff --git a/windows/security/information-protection/tpm/tpm-fundamentals.md b/windows/security/information-protection/tpm/tpm-fundamentals.md
index cffb2255cf..123b5b21c7 100644
--- a/windows/security/information-protection/tpm/tpm-fundamentals.md
+++ b/windows/security/information-protection/tpm/tpm-fundamentals.md
@@ -1,5 +1,5 @@
---
-title: TPM fundamentals (Windows 10)
+title: Trusted Platform Module (TPM) fundamentals (Windows)
description: Inform yourself about the components of the Trusted Platform Module (TPM 1.2 and TPM 2.0) and how they are used to mitigate dictionary attacks.
ms.assetid: ac90f5f9-9a15-4e87-b00d-4adcf2ec3000
ms.reviewer:
@@ -13,26 +13,27 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 08/16/2017
+ms.date: 09/06/2021
---
# TPM fundamentals
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
-This topic for the IT professional provides a description of the components of the Trusted Platform Module (TPM 1.2 and TPM 2.0) and explains how they are used to mitigate dictionary attacks.
+This article for the IT professional provides a description of the components of the Trusted Platform Module (TPM 1.2 and TPM 2.0) and explains how they are used to mitigate dictionary attacks.
-A Trusted Platform Module (TPM) is a microchip designed to provide basic security-related functions, primarily involving encryption keys. The TPM is usually installed on the motherboard of a computer, and it communicates with the remainder of the system by using a hardware bus.
+A Trusted Platform Module (TPM) is a microchip designed to provide basic security-related functions, primarily involving encryption keys. The TPM is installed on the motherboard of a computer, and it communicates with the rest of the system by using a hardware bus.
Computers that incorporate a TPM can create cryptographic keys and encrypt them so that they can only be decrypted by the TPM. This process, often called wrapping or binding a key, can help protect the key from disclosure. Each TPM has a master wrapping key, called the storage root key, which is stored within the TPM itself. The private portion of a storage root key or endorsement key that is created in a TPM is never exposed to any other component, software, process, or user.
You can specify whether encryption keys that are created by the TPM can be migrated or not. If you specify that they can be migrated, the public and private portions of the key can be exposed to other components, software, processes, or users. If you specify that encryption keys cannot be migrated, the private portion of the key is never exposed outside the TPM.
-Computers that incorporate a TPM can also create a key that has not only been wrapped, but is also tied to certain platform measurements. This type of key can be unwrapped only when those platform measurements have the same values that they had when the key was created. This process is referred to as “sealing the key to the TPM.” Decrypting the key is called unsealing. The TPM can also seal and unseal data that is generated outside the TPM. With this sealed key and software, such as BitLocker Drive Encryption, you can lock data until specific hardware or software conditions are met.
+Computers that incorporate a TPM can also create a key that is wrapped and tied to certain platform measurements. This type of key can be unwrapped only when those platform measurements have the same values that they had when the key was created. This process is referred to as “sealing the key to the TPM.” Decrypting the key is called unsealing. The TPM can also seal and unseal data that is generated outside the TPM. With this sealed key and software, such as BitLocker Drive Encryption, you can lock data until specific hardware or software conditions are met.
-With a TPM, private portions of key pairs are kept separate from the memory that is controlled by the operating system. Keys can be sealed to the TPM, and certain assurances about the state of a system (assurances that define the trustworthiness of a system) can be made before the keys are unsealed and released for use. Because the TPM uses its own internal firmware and logic circuits to process instructions, it does not rely on the operating system, and it is not exposed to vulnerabilities that might exist in the operating system or application software.
+With a TPM, private portions of key pairs are kept separate from the memory that is controlled by the operating system. Keys can be sealed to the TPM, and certain assurances about the state of a system (assurances that define the trustworthiness of a system) can be made before the keys are unsealed and released for use. The TPM uses its own internal firmware and logic circuits to process instructions. Hence, it doesn't rely on the operating system and it isn't exposed to vulnerabilities that might exist in the operating system or application software.
For info about which versions of Windows support which versions of the TPM, see [Trusted Platform Module technology overview](trusted-platform-module-overview.md). The features that are available in the versions are defined in specifications by the Trusted Computing Group (TCG). For more info, see the Trusted Platform Module page on the Trusted Computing Group website: [Trusted Platform Module](http://www.trustedcomputinggroup.org/developers/trusted_platform_module).
@@ -61,16 +62,15 @@ The following topic describes the TPM Services that can be controlled centrally
## Measured Boot with support for attestation
-The Measured Boot feature provides antimalware software with a trusted (resistant to spoofing and tampering) log of all boot components. Antimalware software can use the log to determine whether components that ran before it are trustworthy versus infected with malware. It can also send the Measured Boot logs to a remote server for evaluation. The remote server can initiate remediation actions by interacting with software on the client or through out-of-band mechanisms, as appropriate.
+The Measured Boot feature provides antimalware software with a trusted (resistant to spoofing and tampering) log of all boot components. Antimalware software can use the log to determine whether components that ran before it are trustworthy versus infected with malware. It can also send the Measured Boot logs to a remote server for evaluation. The remote server can start remediation actions by interacting with software on the client or through out-of-band mechanisms, as appropriate.
## TPM-based Virtual Smart Card
-The Virtual Smart Card emulates the functionality of traditional smart cards, but Virtual Smart Cards use the TPM chip that is available on an organization’s computers, rather than requiring the use of a separate physical smart card and reader. This greatly reduces the management and deployment cost of smart cards in an enterprise. To the end user, the Virtual Smart Card is always available on the computer. If a user needs to use more than one computer, a
-Virtual Smart Card must be issued to the user for each computer. A computer that is shared among multiple users can host multiple Virtual Smart Cards, one for each user.
+The Virtual Smart Card emulates the functionality of traditional smart cards. Virtual Smart Cards use the TPM chip that is available on an organization’s computers, rather than using a separate physical smart card and reader. This greatly reduces the management and deployment cost of smart cards in an enterprise. To the end user, the Virtual Smart Card is always available on the computer. If a user needs to use more than one computer, a Virtual Smart Card must be issued to the user for each computer. A computer that is shared among multiple users can host multiple Virtual Smart Cards, one for each user.
## TPM-based certificate storage
-The TPM can be used to protect certificates and RSA keys. The TPM key storage provider (KSP) provides easy, convenient use of the TPM as a way of strongly protecting private keys. The TPM KSP can be used to generate keys when an organization enrolls for certificates, and the KSP is managed by templates in the UI. The TPM can also be used to protect certificates that are imported from an outside source. TPM-based certificates can be used exactly as standard certificates with the added functionality that the certificate can never leave the TPM from which the keys were generated. The TPM can now be used for crypto-operations through Cryptography API: Next Generation (CNG). For more info, see [Cryptography API: Next Generation](/windows/win32/seccng/cng-portal).
+The TPM protects certificates and RSA keys. The TPM key storage provider (KSP) provides easy and convenient use of the TPM as a way of strongly protecting private keys. The TPM KSP generates keys when an organization enrolls for certificates. The KSP is managed by templates in the UI. The TPM also protects certificates that are imported from an outside source. TPM-based certificates are standard certificates. The certificate can never leave the TPM from which the keys are generated. The TPM can now be used for crypto-operations through Cryptography API: Next Generation (CNG). For more info, see [Cryptography API: Next Generation](/windows/win32/seccng/cng-portal).
## TPM Cmdlets
@@ -78,31 +78,31 @@ You can manage the TPM using Windows PowerShell. For details, see [TPM Cmdlets i
## Physical presence interface
-For TPM 1.2, the TCG specifications for TPMs require physical presence (typically, pressing a key) for turning the TPM on, turning it off, or clearing it. These actions typically cannot be automated with scripts or other automation tools unless the individual OEM supplies them.
+For TPM 1.2, the TCG specifications for TPMs require physical presence (typically, pressing a key) for turning on the TPM, turning it off, or clearing it. These actions typically cannot be automated with scripts or other automation tools unless the individual OEM supplies them.
## TPM 1.2 states and initialization
-For TPM 1.2, there are multiple possible states. Windows 10 automatically initializes the TPM, which brings it to an enabled, activated, and owned state.
+TPM 1.2 has multiple possible states. Windows automatically initializes the TPM, which brings it to an enabled, activated, and owned state.
## Endorsement keys
-For a TPM to be usable by a trusted application, it must contain an endorsement key, which is an RSA key pair. The private half of the key pair is held inside the TPM, and it is never revealed or accessible outside the TPM.
+A trusted application can use TPM only if the TPM contains an endorsement key, which is an RSA key pair. The private half of the key pair is held inside the TPM and it is never revealed or accessible outside the TPM.
## Key attestation
-TPM key attestation allows a certification authority to verify that a private key is actually protected by a TPM and that the TPM is one that the certification authority trusts. Endorsement keys which have been proven valid can be used to bind the user identity to a device. Moreover, the user certificate with a TPM attested key provides higher security assurance backed up by the non-exportability, anti-hammering, and isolation of keys provided by a TPM.
+TPM key attestation allows a certification authority to verify that a private key is protected by a TPM and that the TPM is one that the certification authority trusts. Endorsement keys proven valid are used to bind the user identity to a device. The user certificate with a TPM attested key provides higher security assurance backed up by the non-exportability, anti-hammering, and isolation of keys provided by a TPM.
## Anti-hammering
-When a TPM processes a command, it does so in a protected environment, for example, a dedicated microcontroller on a discrete chip or a special hardware-protected mode on the main CPU. A TPM can be used to create a cryptographic key that is not disclosed outside the TPM, but is able to be used in the TPM after the correct authorization value is provided.
+When a TPM processes a command, it does so in a protected environment, for example, a dedicated microcontroller on a discrete chip or a special hardware-protected mode on the main CPU. A TPM is used to create a cryptographic key that is not disclosed outside the TPM. It is used in the TPM after the correct authorization value is provided.
TPMs have anti-hammering protection that is designed to prevent brute force attacks, or more complex dictionary attacks, that attempt to determine authorization values for using a key. The basic approach is for the TPM to allow only a limited number of authorization failures before it prevents more attempts to use keys and locks. Providing a failure count for individual keys is not technically practical, so TPMs have a global lockout when too many authorization failures occur.
-Because many entities can use the TPM, a single authorization success cannot reset the TPM’s anti-hammering protection. This prevents an attacker from creating a key with a known authorization value and then using it to reset the TPM’s protection. Generally, TPMs are designed to forget about authorization failures after a period of time so the TPM does not enter a lockout state unnecessarily. A TPM owner password can be used to reset the TPM’s lockout logic.
+Because many entities can use the TPM, a single authorization success cannot reset the TPM’s anti-hammering protection. This prevents an attacker from creating a key with a known authorization value and then using it to reset the TPM’s protection. TPMs are designed to forget about authorization failures after a period of time so the TPM does not enter a lockout state unnecessarily. A TPM owner password can be used to reset the TPM’s lockout logic.
### TPM 2.0 anti-hammering
-TPM 2.0 has well defined anti-hammering behavior. This is in contrast to TPM 1.2 for which the anti-hammering protection was implemented by the manufacturer, and the logic varied widely throughout the industry.
+TPM 2.0 has well defined anti-hammering behavior. This is in contrast to TPM 1.2 for which the anti-hammering protection was implemented by the manufacturer and the logic varied widely throughout the industry.
For systems with TPM 2.0, the TPM is configured by Windows to lock after 32 authorization failures and to forget one authorization failure every two hours. This means that a user could quickly attempt to use a key with the wrong authorization value 32 times. For each of the 32 attempts, the TPM records if the authorization value was correct or not. This inadvertently causes the TPM to enter a locked state after 32 failed attempts.
@@ -134,7 +134,7 @@ Increasing the PIN length requires a greater number of guesses for an attacker.
In that case, the lockout duration between each guess can be shortened to allow legitimate users to retry a failed attempt sooner, while maintaining a similar level of protection.
Beginning with Windows 10, version 1703, the minimum length for the BitLocker PIN was increased to 6 characters to better align with other Windows features that leverage TPM 2.0, including Windows Hello.
-To help organizations with the transition, beginning with Windows 10, version 1709 and Windows 10, version 1703 with the October 2017 [cumulative update](https://support.microsoft.com/help/4018124) installed, the BitLocker PIN length is 6 characters by default, but it can be reduced to 4 characters.
+To help organizations with the transition, with Windows 10, version 1703 with the October 2017 [cumulative update](https://support.microsoft.com/help/4018124) installed, Windows 10, version 1709 and higher, and Windows 11, the BitLocker PIN length is 6 characters by default, but it can be reduced to 4 characters.
If the minimum PIN length is reduced from the default of six characters, then the TPM 2.0 lockout period will be extended.
### TPM-based smart cards
@@ -152,4 +152,4 @@ The Windows TPM-based smart card, which is a virtual smart card, can be configur
- [Trusted Platform Module](trusted-platform-module-top-node.md) (list of topics)
- [TPM Cmdlets in Windows PowerShell](/powershell/module/trustedplatformmodule/)
- [TPM WMI providers](/windows/win32/secprov/security-wmi-providers-reference)
-- [Prepare your organization for BitLocker: Planning and Policies - TPM configurations](../bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md#tpm-hardware-configurations)
\ No newline at end of file
+- [Prepare your organization for BitLocker: Planning and Policies - TPM configurations](../bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md#tpm-hardware-configurations)
diff --git a/windows/security/information-protection/tpm/tpm-recommendations.md b/windows/security/information-protection/tpm/tpm-recommendations.md
index 658a7d98d5..de5f910d13 100644
--- a/windows/security/information-protection/tpm/tpm-recommendations.md
+++ b/windows/security/information-protection/tpm/tpm-recommendations.md
@@ -1,6 +1,6 @@
---
-title: TPM recommendations (Windows 10)
-description: This topic provides recommendations for Trusted Platform Module (TPM) technology for Windows 10.
+title: TPM recommendations (Windows)
+description: This topic provides recommendations for Trusted Platform Module (TPM) technology for Windows.
ms.assetid: E85F11F5-4E6A-43E7-8205-672F77706561
ms.reviewer:
ms.prod: w10
@@ -14,27 +14,28 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 11/29/2018
+ms.date: 09/06/2021
---
# TPM recommendations
**Applies to**
-- Windows 10
-- Windows Server 2016
+- Windows 10
+- Windows 11
+- Windows Server 2016 and above
-This topic provides recommendations for Trusted Platform Module (TPM) technology for Windows 10.
+This topic provides recommendations for Trusted Platform Module (TPM) technology for Windows.
For a basic feature description of TPM, see the [Trusted Platform Module Technology Overview](trusted-platform-module-overview.md).
## TPM design and implementation
-Traditionally, TPMs have been discrete chips soldered to a computer’s motherboard. Such implementations allow the computer’s original equipment manufacturer (OEM) to evaluate and certify the TPM separate from the rest of the system. Although discrete TPM implementations are still common, they can be problematic for integrated devices that are small or have low power consumption. Some newer TPM implementations integrate TPM functionality into the same chipset as other platform components while still providing logical separation similar to discrete TPM chips.
+Traditionally, TPMs are discrete chips soldered to a computer’s motherboard. Such implementations allow the computer’s original equipment manufacturer (OEM) to evaluate and certify the TPM separate from the rest of the system. Discrete TPM implementations are common. However, they can be problematic for integrated devices that are small or have low power consumption. Some newer TPM implementations integrate TPM functionality into the same chipset as other platform components while still providing logical separation similar to discrete TPM chips.
-TPMs are passive: they receive commands and return responses. To realize the full benefit of a TPM, the OEM must carefully integrate system hardware and firmware with the TPM to send it commands and react to its responses. TPMs were originally designed to provide security and privacy benefits to a platform’s owner and users, but newer versions can provide security and privacy benefits to the system hardware itself. Before it can be used for advanced scenarios, however, a TPM must be provisioned. Windows 10 automatically provisions a TPM, but if the user is planning to reinstall the operating system, he or she may need to clear the TPM before reinstalling so that Windows can take full advantage of the TPM.
+TPMs are passive: they receive commands and return responses. To realize the full benefit of a TPM, the OEM must carefully integrate system hardware and firmware with the TPM to send it commands and react to its responses. TPMs were originally designed to provide security and privacy benefits to a platform’s owner and users, but newer versions can provide security and privacy benefits to the system hardware itself. Before it can be used for advanced scenarios, however, a TPM must be provisioned. Windows automatically provisions a TPM, but if the user is planning to reinstall the operating system, he or she may need to clear the TPM before reinstalling so that Windows can take full advantage of the TPM.
-The Trusted Computing Group (TCG) is the nonprofit organization that publishes and maintains the TPM specification. The TCG exists to develop, define, and promote vendor-neutral, global industry standards that support a hardware-based root of trust for interoperable trusted computing platforms. The TCG also publishes the TPM specification as the international standard ISO/IEC 11889, using the Publicly Available Specification Submission Process that the Joint Technical Committee 1 defines between the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).
+The Trusted Computing Group (TCG) is the nonprofit organization that publishes and maintains the TPM specification. The TCG exists to develop, define, and promote vendor-neutral, global industry standards. These standards support a hardware-based root of trust for interoperable trusted computing platforms. The TCG also publishes the TPM specification as the international standard ISO/IEC 11889, using the Publicly Available Specification Submission Process that the Joint Technical Committee 1 defines between the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC).
OEMs implement the TPM as a component in a trusted computing platform, such as a PC, tablet, or phone. Trusted computing platforms use the TPM to support privacy and security scenarios that software alone cannot achieve. For example, software alone cannot reliably report whether malware is present during the system startup process. The close integration between TPM and platform increases the transparency of the startup process and supports evaluating device health by enabling reliable measuring and reporting of the software that starts the device. Implementation of a TPM as part of a trusted computing platform provides a hardware root of trust—that is, it behaves in a trusted way. For example, if a key stored in a TPM has properties that disallow exporting the key, that key truly cannot leave the TPM.
@@ -54,7 +55,7 @@ TPM 2.0 products and systems have important security advantages over TPM 1.2, in
- TPM 2.0 **enables greater crypto agility** by being more flexible with respect to cryptographic algorithms.
- - TPM 2.0 supports newer algorithms, which can improve drive signing and key generation performance. For the full list of supported algorithms, see the [TCG Algorithm Registry](http://www.trustedcomputinggroup.org/tcg-algorithm-registry/). Some TPMs do not support all algorithms.
+ - TPM 2.0 supports newer algorithms, which can improve drive signing and key generation performance. For the full list of supported algorithms, see the [TCG Algorithm Registry](http://www.trustedcomputinggroup.org/tcg-algorithm-registry/). Some TPMs don't support all algorithms.
- For the list of algorithms that Windows supports in the platform cryptographic storage provider, see [CNG Cryptographic Algorithm Providers](/windows/win32/seccertenroll/cng-cryptographic-algorithm-providers).
@@ -68,14 +69,14 @@ TPM 2.0 products and systems have important security advantages over TPM 1.2, in
- TPM 2.0 lockout policy is configured by Windows, ensuring a consistent dictionary attack protection guarantee.
-- While TPM 1.2 parts are discrete silicon components which are typically soldered on the motherboard, TPM 2.0 is available as a **discrete (dTPM)** silicon component in a single semiconductor package, an **integrated** component incorporated in one or more semiconductor packages - alongside other logic units in the same package(s) - and as a **firmware (fTPM)** based component running in a trusted execution environment (TEE) on a general purpose SoC.
+- While TPM 1.2 parts are discrete silicon components, which are typically soldered on the motherboard, TPM 2.0 is available as a **discrete (dTPM)** silicon component in a single semiconductor package, an **integrated** component incorporated in one or more semiconductor packages - alongside other logic units in the same package(s), and as a **firmware (fTPM)** based component running in a trusted execution environment (TEE) on a general purpose SoC.
> [!NOTE]
> TPM 2.0 is not supported in Legacy and CSM Modes of the BIOS. Devices with TPM 2.0 must have their BIOS mode configured as Native UEFI only. The Legacy and Compatibility Support Module (CSM) options must be disabled. For added security Enable the Secure Boot feature.
>
> Installed Operating System on hardware in legacy mode will stop the OS from booting when the BIOS mode is changed to UEFI. Use the tool [MBR2GPT](/windows/deployment/mbr-to-gpt) before changing the BIOS mode which will prepare the OS and the disk to support UEFI.
-## Discrete, Integrated or Firmware TPM?
+## Discrete, Integrated, or Firmware TPM?
There are three implementation options for TPMs:
@@ -85,17 +86,17 @@ There are three implementation options for TPMs:
- Firmware TPM solution, running the TPM in firmware in a Trusted Execution mode of a general purpose computation unit
-Windows uses any compatible TPM in the same way. Microsoft does not take a position on which way a TPM should be implemented and there is a wide ecosystem of available TPM solutions which should suit all needs.
+Windows uses any compatible TPM in the same way. Microsoft does not take a position on which way a TPM should be implemented and there is a wide ecosystem of available TPM solutions, which should suit all needs.
## Is there any importance for TPM for consumers?
-For end consumers, TPM is behind the scenes but is still very relevant. TPM is used for Windows Hello, Windows Hello for Business and in the future, will be a component of many other key security features in Windows. TPM secures the PIN, helps encrypt passwords, and builds on our overall Windows 10 experience story for security as a critical pillar. Using Windows on a system with a TPM enables a deeper and broader level of security coverage.
+For end consumers, TPM is behind the scenes but is still relevant. TPM is used for Windows Hello, Windows Hello for Business and in the future, will be a component of many other key security features in Windows. TPM secures the PIN, helps encrypt passwords, and builds on our overall Windows experience story for security as a critical pillar. Using Windows on a system with a TPM enables a deeper and broader level of security coverage.
-## TPM 2.0 Compliance for Windows 10
+## TPM 2.0 Compliance for Windows
-### Windows 10 for desktop editions (Home, Pro, Enterprise, and Education)
+### Windows for desktop editions (Home, Pro, Enterprise, and Education)
-- Since July 28, 2016, all new device models, lines or series (or if you are updating the hardware configuration of an existing model, line or series with a major update, such as CPU, graphic cards) must implement and enable by default TPM 2.0 (details in section 3.7 of the [Minimum hardware requirements](/windows-hardware/design/minimum/minimum-hardware-requirements-overview) page). The requirement to enable TPM 2.0 only applies to the manufacturing of new devices. For TPM recommendations for specific Windows features, see [TPM and Windows Features](#tpm-and-windows-features).
+- Since July 28, 2016, all new device models, lines, or series (or if you're updating the hardware configuration of an existing model, line, or series with a major update, such as CPU, graphic cards) must implement and enable by default TPM 2.0 (details in section 3.7 of the [Minimum hardware requirements](/windows-hardware/design/minimum/minimum-hardware-requirements-overview) page). The requirement to enable TPM 2.0 only applies to the manufacturing of new devices. For TPM recommendations for specific Windows features, see [TPM and Windows Features](#tpm-and-windows-features).
### IoT Core
@@ -103,7 +104,7 @@ For end consumers, TPM is behind the scenes but is still very relevant. TPM is u
### Windows Server 2016
-- TPM is optional for Windows Server SKUs unless the SKU meets the additional qualification (AQ) criteria for the Host Guardian Services scenario in which case TPM 2.0 is required.
+- TPM is optional for Windows Server SKUs unless the SKU meets the other qualification (AQ) criteria for the Host Guardian Services scenario in which case TPM 2.0 is required.
## TPM and Windows Features
diff --git a/windows/security/information-protection/tpm/trusted-platform-module-overview.md b/windows/security/information-protection/tpm/trusted-platform-module-overview.md
index 5bbb8174ec..e401d19506 100644
--- a/windows/security/information-protection/tpm/trusted-platform-module-overview.md
+++ b/windows/security/information-protection/tpm/trusted-platform-module-overview.md
@@ -1,5 +1,5 @@
---
-title: Trusted Platform Module Technology Overview (Windows 10)
+title: Trusted Platform Module Technology Overview (Windows)
description: This topic for the IT professional describes the Trusted Platform Module (TPM) and how Windows uses it for access control and authentication.
ms.assetid: face8932-b034-4319-86ac-db1163d46538
ms.reviewer:
@@ -42,9 +42,9 @@ TPM-based keys can be configured in a variety of ways. One option is to make a T
Different versions of the TPM are defined in specifications by the Trusted Computing Group (TCG). For more information, consult the [TCG Web site](http://www.trustedcomputinggroup.org/work-groups/trusted-platform-module/).
-### Automatic initialization of the TPM with Windows 10
+### Automatic initialization of the TPM with Windows
-Starting with Windows 10, the operating system automatically initializes and takes ownership of the TPM. This means that in most cases, we recommend that you avoid configuring the TPM through the TPM management console, **TPM.msc**. There are a few exceptions, mostly related to resetting or performing a clean installation on a PC. For more information, see [Clear all the keys from the TPM](initialize-and-configure-ownership-of-the-tpm.md#clear-all-the-keys-from-the-tpm). We're [no longer actively developing the TPM management console](/windows-server/get-started-19/removed-features-19#features-were-no-longer-developing) beginning with Windows Server 2019 and Windows 10, version 1809.
+Starting with Windows 10 and Windows 11, the operating system automatically initializes and takes ownership of the TPM. This means that in most cases, we recommend that you avoid configuring the TPM through the TPM management console, **TPM.msc**. There are a few exceptions, mostly related to resetting or performing a clean installation on a PC. For more information, see [Clear all the keys from the TPM](initialize-and-configure-ownership-of-the-tpm.md#clear-all-the-keys-from-the-tpm). We're [no longer actively developing the TPM management console](/windows-server/get-started-19/removed-features-19#features-were-no-longer-developing) beginning with Windows Server 2019 and Windows 10, version 1809.
In certain specific enterprise scenarios limited to Windows 10, versions 1507 and 1511, Group Policy might be used to back up the TPM owner authorization value in Active Directory. Because the TPM state persists across operating system installations, this TPM information is stored in a location in Active Directory that is separate from computer objects.
@@ -54,13 +54,13 @@ Certificates can be installed or created on computers that are using the TPM. Af
Automated provisioning in the TPM reduces the cost of TPM deployment in an enterprise. New APIs for TPM management can determine if TPM provisioning actions require physical presence of a service technician to approve TPM state change requests during the boot process.
-Antimalware software can use the boot measurements of the operating system start state to prove the integrity of a computer running Windows 10 and later editions or Windows Server 2016. These measurements include the launch of Hyper-V to test that datacenters using virtualization are not running untrusted hypervisors. With BitLocker Network Unlock, IT administrators can push an update without concerns that a computer is waiting for PIN entry.
+Antimalware software can use the boot measurements of the operating system start state to prove the integrity of a computer running Windows 10 or Windows 11 or Windows Server 2016. These measurements include the launch of Hyper-V to test that datacenters using virtualization are not running untrusted hypervisors. With BitLocker Network Unlock, IT administrators can push an update without concerns that a computer is waiting for PIN entry.
The TPM has several Group Policy settings that might be useful in certain enterprise scenarios. For more info, see [TPM Group Policy Settings](trusted-platform-module-services-group-policy-settings.md).
## New and changed functionality
-For more info on new and changed functionality for Trusted Platform Module in Windows 10, see [What's new in Trusted Platform Module?](/windows/whats-new/whats-new-windows-10-version-1507-and-1511#trusted-platform-module)
+For more info on new and changed functionality for Trusted Platform Module in Windows, see [What's new in Trusted Platform Module?](/windows/whats-new/whats-new-windows-10-version-1507-and-1511#trusted-platform-module)
## Device health attestation
diff --git a/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings.md b/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings.md
index 0961556a4b..0ae9cb6622 100644
--- a/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings.md
+++ b/windows/security/information-protection/tpm/trusted-platform-module-services-group-policy-settings.md
@@ -1,5 +1,5 @@
---
-title: TPM Group Policy settings (Windows 10)
+title: TPM Group Policy settings (Windows)
description: This topic describes the Trusted Platform Module (TPM) Services that can be controlled centrally by using Group Policy settings.
ms.assetid: 54ff1c1e-a210-4074-a44e-58fee26e4dbd
ms.reviewer:
@@ -13,14 +13,15 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 10/02/2018
+ms.date: 09/06/2021
---
# TPM Group Policy settings
**Applies to**
- Windows 10
-- Windows Server 2016 and later
+- Windows 11
+- Windows Server 2016 and above
This topic describes the Trusted Platform Module (TPM) Services that can be controlled centrally by using Group Policy settings.
@@ -28,7 +29,7 @@ The Group Policy settings for TPM services are located at:
**Computer Configuration\\Administrative Templates\\System\\Trusted Platform Module Services\\**
-The following Group Policy settings were introduced in Windows 10.
+The following Group Policy settings were introduced in Windows.
## Configure the level of TPM owner authorization information available to the operating system
@@ -71,8 +72,7 @@ The following table shows the TPM owner authorization values in the registry.
If you enable this policy setting, the Windows operating system will store the TPM owner authorization in the registry of the local computer according to the TPM authentication setting you choose.
-On Windows 10 prior to version 1607, if you disable or do not configure this policy setting, and the **Turn on TPM backup to Active Directory Domain Services** policy setting is also disabled or not configured, the default setting is to store the full TPM authorization value in the local registry. If this policy is disabled or not
-configured, and the **Turn on TPM backup to Active Directory Domain Services** policy setting is enabled, only the administrative delegation and the user delegation blobs are stored in the local registry.
+On Windows 10 prior to version 1607, if you disable or do not configure this policy setting, and the **Turn on TPM backup to Active Directory Domain Services** policy setting is also disabled or not configured, the default setting is to store the full TPM authorization value in the local registry. If this policy is disabled or not configured, and the **Turn on TPM backup to Active Directory Domain Services** policy setting is enabled, only the administrative delegation and the user delegation blobs are stored in the local registry.
## Standard User Lockout Duration
@@ -146,5 +146,5 @@ If you don't want users to see the recommendation to update TPM firmware, you ca
## Related topics
- [Trusted Platform Module](trusted-platform-module-top-node.md)
-- [TPM Cmdlets in Windows PowerShell](/powershell/module/trustedplatformmodule/?view=win10-ps)
+- [TPM Cmdlets in Windows PowerShell](/powershell/module/trustedplatformmodule/?view=win10-ps&preserve-view=true)
- [Prepare your organization for BitLocker: Planning and Policies - TPM configurations](../bitlocker/prepare-your-organization-for-bitlocker-planning-and-policies.md)
\ No newline at end of file
diff --git a/windows/security/information-protection/tpm/trusted-platform-module-top-node.md b/windows/security/information-protection/tpm/trusted-platform-module-top-node.md
index 124caf74f2..1e071cfbdc 100644
--- a/windows/security/information-protection/tpm/trusted-platform-module-top-node.md
+++ b/windows/security/information-protection/tpm/trusted-platform-module-top-node.md
@@ -1,5 +1,5 @@
---
-title: Trusted Platform Module (Windows 10)
+title: Trusted Platform Module (Windows)
description: This topic for the IT professional provides links to information about the Trusted Platform Module (TPM) and how Windows uses it for access control and authentication.
ms.prod: w10
ms.mktglfcycl: deploy
@@ -12,7 +12,7 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 09/11/2018
+ms.date: 09/06/2021
ms.reviewer:
---
@@ -20,7 +20,8 @@ ms.reviewer:
**Applies to**
- Windows 10
-- Windows Server 2016
+- Windows 11
+- Windows Server 2016 and above
Trusted Platform Module (TPM) technology is designed to provide hardware-based, security-related functions. A TPM chip is a secure crypto-processor that helps you with actions such as generating, storing, and limiting the use of cryptographic keys. The following topics provide details.
@@ -32,6 +33,6 @@ Trusted Platform Module (TPM) technology is designed to provide hardware-based,
| [TPM fundamentals](tpm-fundamentals.md) | Provides background about how a TPM can work with cryptographic keys. Also describes technologies that work with the TPM, such as TPM-based virtual smart cards. |
| [TPM Group Policy settings](trusted-platform-module-services-group-policy-settings.md) | Describes TPM services that can be controlled centrally by using Group Policy settings. |
| [Back up the TPM recovery information to AD DS](backup-tpm-recovery-information-to-ad-ds.md) | For Windows 10, version 1511 and Windows 10, version 1507 only, describes how to back up a computer’s TPM information to Active Directory Domain Services. |
-| [Troubleshoot the TPM](initialize-and-configure-ownership-of-the-tpm.md) | Describes actions you can take through the TPM snap-in, TPM.msc: view TPM status, troubleshoot TPM initialization, and clear keys from the TPM. Also, for TPM 1.2 and Windows 10, version 1507 or 1511, describes how to turn the TPM on or off. |
+| [Troubleshoot the TPM](initialize-and-configure-ownership-of-the-tpm.md) | Describes actions you can take through the TPM snap-in, TPM.msc: view TPM status, troubleshoot TPM initialization, and clear keys from the TPM. Also, for TPM 1.2 and Windows 10, version 1507 or 1511, or Windows 11, describes how to turn the TPM on or off. |
| [Understanding PCR banks on TPM 2.0 devices](switch-pcr-banks-on-tpm-2-0-devices.md) | Provides background about what happens when you switch PCR banks on TPM 2.0 devices. |
-| [TPM recommendations](tpm-recommendations.md) | Discusses aspects of TPMs such as the difference between TPM 1.2 and 2.0, and the Windows 10 features for which a TPM is required or recommended. |
+| [TPM recommendations](tpm-recommendations.md) | Discusses aspects of TPMs such as the difference between TPM 1.2 and 2.0, and the Windows features for which a TPM is required or recommended. |
diff --git a/windows/security/operating-system.md b/windows/security/operating-system.md
new file mode 100644
index 0000000000..66115fef04
--- /dev/null
+++ b/windows/security/operating-system.md
@@ -0,0 +1,42 @@
+---
+title: Windows operating system security
+description: Securing the operating system includes system security, encryption, network security, and threat protection.
+ms.reviewer:
+ms.topic: article
+manager: dansimp
+ms.author: deniseb
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: denisebmsft
+ms.collection: M365-security-compliance
+ms.prod: m365-security
+ms.technology: windows-sec
+ms.date: 09/21/2021
+---
+
+# Windows operating system security
+
+Security and privacy depend on an operating system that guards your system and information from the moment it starts up, providing fundamental chip-to-cloud protection. Windows 11 is the most secure Windows yet with extensive security measures designed to help keep you safe. These measures include built-in advanced encryption and data protection, robust network and system security, and intelligent safeguards against ever-evolving threats.
+
+Use the links in the following table to learn more about the operating system security features and capabilities in Windows 11.
+
+| Security Measures | Features & Capabilities |
+|:---|:---|
+| Secure Boot and Trusted Boot | Secure Boot and Trusted Boot help prevent malware and corrupted components from loading when a Windows device is starting. Secure Boot starts with initial boot-up protection, and then Trusted Boot picks up the process. Together, Secure Boot and Trusted Boot help to ensure your Windows system boots up safely and securely.
Learn more [Secure Boot and Trusted Boot](trusted-boot.md). |
+Cryptography and certificate management|Cryptography uses code to convert data so that only a specific recipient can read it by using a key. Cryptography enforces privacy to prevent anyone except the intended recipient from reading data, integrity to ensure data is free of tampering, and authentication that verifies identity to ensure that communication is secure.
Learn more about [Cryptography and certificate management](cryptography-certificate-mgmt.md).
|
+Windows Security app | The Windows built-in security application found in settings provides an at-a-glance view of the security status and health of your device. These insights help you identify issues and take action to make sure you’re protected. You can quickly see the status of your virus and threat protection, firewall and network security, device security controls, and more.
Learn more about the [Windows Security app](threat-protection/windows-defender-security-center/windows-defender-security-center.md).|
+| Encryption and data protection | Wherever confidential data is stored, it must be protected against unauthorized access, whether through physical device theft or from malicious applications. Windows provides strong at-rest data-protection solutions that guard against nefarious attackers.
Learn more about [Encryption](encryption-data-protection.md).
+| BitLocker | BitLocker Drive Encryption is a data protection feature that integrates with the operating system and addresses the threats of data theft or exposure from lost, stolen, or inappropriately decommissioned computers. BitLocker provides the most protection when used with a Trusted Platform Module (TPM) version 1.2 or later.
Learn more about [BitLocker](information-protection/bitlocker/bitlocker-overview.md). |
+| Encrypted Hard Drive | Encrypted Hard Drive uses the rapid encryption that is provided by BitLocker Drive Encryption to enhance data security and management.
By offloading the cryptographic operations to hardware, Encrypted Hard Drives increase BitLocker performance and reduce CPU usage and power consumption. Because Encrypted Hard Drives encrypt data quickly, enterprise devices can expand BitLocker deployment with minimal impact on productivity.
Learn more about [Encrypted Hard Drives](information-protection/encrypted-hard-drive.md).
|
+| Security baselines | A security baseline is a group of Microsoft-recommended configuration settings that explains their security impact. These settings are based on feedback from Microsoft security engineering teams, product groups, partners, and customers.
Security baselines are included in the [Security Compliance Toolkit](threat-protection/windows-security-configuration-framework/security-compliance-toolkit-10.md) that you can download from the Microsoft Download Center.
Learn more about [security baselines](threat-protection/windows-security-configuration-framework/windows-security-baselines.md). |
+| Virtual Private Network | Virtual private networks (VPNs) are point-to-point connections across a private or public network, such as the Internet. A VPN client uses special TCP/IP or UDP-based protocols, called tunneling protocols, to make a virtual call to a virtual port on a VPN server.
Learn more about [Virtual Private Networks](identity-protection/vpn/vpn-guide.md).
|
+| Windows Defender Firewall | Windows Defender Firewall is a stateful host firewall that helps secure the device by allowing you to create rules that determine which network traffic is permitted to enter the device from the network and which network traffic the device is allowed to send to the network. Windows Defender Firewall also supports Internet Protocol security (IPsec), which you can use to require authentication from any device that is attempting to communicate with your device.
Learn more about [Windows Defender Firewall with advanced security](threat-protection/windows-firewall/windows-firewall-with-advanced-security.md).
+| Antivirus & antimalware protection | Microsoft Defender Antivirus is included in all versions of Windows 10, Windows Server 2016 and later, and Windows 11. If you have another antivirus app installed and turned on, Microsoft Defender Antivirus will turn off automatically. If you uninstall the other app, Microsoft Defender Antivirus will turn back on.
From the moment you boot Windows, Microsoft Defender Antivirus continually monitors for malware, viruses, and security threats. Updates are downloaded automatically to help protect your device from threats. Microsoft Defender Antivirus continually scans for malware and threats, and also detects and blocks [potentially unwanted applications](/microsoft-365/security/defender-endpoint/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus) (applications that can negatively impact your device even though they are not considered malware).
Microsoft Defender Antivirus integrates with [cloud-delivered protection](/microsoft-365/security/defender-endpoint/cloud-protection-microsoft-defender-antivirus), which helps ensure near-instant detection and blocking of new and emerging threats.
Learn more about [next-generation protection and Microsoft Defender Antivirus](/microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-windows).|
+| Attack surface reduction rules | Your attack surfaces are the places and ways you are vulnerable to a cyber attack. Attack surface reduction rules are built into Windows and Windows Server to prevent and block certain behaviors that are often abused to compromise your device or network. Such behaviors can include launching scripts or executables that attempt to download or run other files, running suspicious scripts, or performing other behaviors that apps don't typically initiate during normal work. You can configure your attack surface reduction rules to protect against these risky behaviors.
Learn more about [Attack surface reduction rules](/microsoft-365/security/defender-endpoint/attack-surface-reduction) |
+| Anti-tampering protection | During cyber attacks (like ransomware attempts), bad actors attempt to disable security features, such as antivirus protection on targeted devices. Bad actors like to disable security features to get easier access to user’s data, to install malware, or to otherwise exploit user’s data, identity, and devices without fear of being blocked. Tamper protection helps prevent these kinds of activities.
With tamper protection, malware is prevented from taking actions such as:
- Disabling virus and threat protection
- Disabling real-time protection
- Turning off behavior monitoring
- Disabling antivirus (such as IOfficeAntivirus (IOAV))
- Disabling cloud-delivered protection
- Removing security intelligence updates
Learn more about [Tamper protection](/microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection). |
+| Network protection | Network protection in Windows helps prevent users from accessing dangerous IP addresses and domains that may host phishing scams, exploits, and other malicious content on the Internet. Network protection is part of attack surface reduction and helps provide an extra layer of protection for a user. Using reputation-based services, network protection blocks access to potentially harmful, low-reputation based domains and IP addresses.
In enterprise environments, network protection works best with [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/), which provides detailed reporting into protection events as part of larger investigation scenarios.
Learn more about [Network protection](/microsoft-365/security/defender-endpoint/network-protection). |
+| Controlled folder access | With controlled folder access, you can protect your valuable information in specific folders by managing apps’ access to specific folders. Only trusted apps can access protected folders, which are specified when controlled folder access is configured. Typically, commonly used folders, such as those used for documents, pictures, downloads, are included in the list of controlled folders. Controlled folder access helps protect valuable data from malicious apps and threats, such as ransomware.
Learn more about [Controlled folder access](/microsoft-365/security/defender-endpoint/controlled-folders). |
+| Exploit protection | Exploit protection, available in Windows 10, version 1709 and later, automatically applies several exploit mitigation techniques to operating system processes and apps. Exploit protection works best with Microsoft Defender for Endpoint, which gives organizations detailed reporting into exploit protection events and blocks as part of typical alert investigation scenarios.
You can enable exploit protection on an individual device, and then use Group Policy to distribute the XML file to multiple devices simultaneously. When a mitigation is encountered on the device, a notification will be displayed from the Action Center. You can customize the notification with your company details and contact information. You can also enable the rules individually to customize which techniques the feature monitors.
Learn more about [Exploit protection](/microsoft-365/security/defender-endpoint/exploit-protection). |
+| Microsoft Defender for Endpoint | Windows E5 customers benefit from [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint/microsoft-defender-endpoint), an enterprise endpoint detection and response capability that helps enterprise security teams detect, investigate, and respond to advanced threats. With rich event data and attack insights, Defender for Endpoint enables your security team to investigate incidents and take remediation actions effectively and efficiently.
Defender for Endpoint also is part of [Microsoft 365 Defender](/microsoft-365/security/defender/), a unified pre- and post-breach enterprise defense suite that natively coordinates detection, prevention, investigation, and response across endpoints, identities, email, and applications to provide integrated protection against sophisticated attacks.
Learn more about [Microsoft Defender for Endpoint](/microsoft-365/security/defender-endpoint) and [Microsoft 365 Defender](/microsoft-365/security/defender/). |
+
diff --git a/windows/security/security-foundations.md b/windows/security/security-foundations.md
new file mode 100644
index 0000000000..7ec5414862
--- /dev/null
+++ b/windows/security/security-foundations.md
@@ -0,0 +1,33 @@
+---
+title: Windows security foundations
+description: Get an overview of security foundations, including the security development lifecycle, common criteria, and the bug bounty program.
+ms.reviewer:
+ms.topic: article
+manager: dansimp
+ms.author: deniseb
+ms.mktglfcycl: deploy
+ms.sitesec: library
+ms.pagetype: security
+author: denisebmsft
+ms.collection: M365-security-compliance
+ms.prod: m365-security
+ms.technology: windows-sec
+---
+
+# Windows security foundations
+
+Microsoft is committed to continuously invest in improving our software development process, building highly secure-by-design software, and addressing security compliance requirements. At Microsoft, we embed security and privacy considerations from the earliest life-cycle phases of all our software development processes. We build in security from the ground for powerful defense in today’s threat environment.
+
+Our strong security foundation uses Microsoft Security Development Lifecycle (SDL) Bug Bounty, support for product security standards and certifications, and Azure Code signing. As a result, we improve security by producing software with fewer defects and vulnerabilities instead of relying on applying updates after vulnerabilities have been identified.
+
+Use the links in the following table to learn more about the security foundations:
+
+| Concept | Description |
+|:---|:---|
+| FIBS 140-2 Validation | The Federal Information Processing Standard (FIPS) Publication 140-2 is a U.S. government standard. FIPS is based on Section 5131 of the Information Technology Management Reform Act of 1996. It defines the minimum security requirements for cryptographic modules in IT products. Microsoft maintains an active commitment to meeting the requirements of the FIPS 140-2 standard, having validated cryptographic modules against it since it was first established in 2001.
Learn more about [FIPS 140-2 Validation](threat-protection/fips-140-validation.md). |
+| Common Criteria Certifications | Microsoft supports the Common Criteria certification program, ensures that products incorporate the features and functions required by relevant Common Criteria Protection Profiles, and completes Common Criteria certifications of Microsoft Windows products.
Learn more about [Common Criteria Certifications](threat-protection/windows-platform-common-criteria.md). |
+| Microsoft Security Development Lifecycle | The Security Development Lifecycle (SDL) is a security assurance process that is focused on software development. The SDL has played a critical role in embedding security and privacy in software and culture at Microsoft.
Learn more about [Microsoft SDL](threat-protection/msft-security-dev-lifecycle.md).|
+| Microsoft Bug Bounty Program | If you find a vulnerability in a Microsoft product, service, or device, we want to hear from you! If your vulnerability report affects a product or service that is within scope of one of our bounty programs below, you could receive a bounty award according to the program descriptions.
Learn more about the [Microsoft Bug Bounty Program](https://www.microsoft.com/en-us/msrc/bounty?rtc=1). |
+
+
+
diff --git a/windows/security/threat-protection/TOC.yml b/windows/security/threat-protection/TOC.yml
deleted file mode 100644
index ae12fde723..0000000000
--- a/windows/security/threat-protection/TOC.yml
+++ /dev/null
@@ -1,1410 +0,0 @@
-- name: Threat protection
- href: index.md
- items:
- - name: Next-generation protection with Microsoft Defender Antivirus
- items:
- - name: Microsoft Defender Antivirus overview
- href: /microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-in-windows-10
- - name: Evaluate Microsoft Defender Antivirus
- href: /microsoft-365/security/defender-endpoint/evaluate-microsoft-defender-antivirus
- - name: Configure Microsoft Defender Antivirus
- items:
- - name: Configure Microsoft Defender Antivirus features
- href: /microsoft-365/security/defender-endpoint/configure-microsoft-defender-antivirus-features
- - name: Use Microsoft cloud-delivered protection
- href: /microsoft-365/security/defender-endpoint/cloud-protection-microsoft-defender-antivirus
- items:
- - name: Prevent security settings changes with tamper protection
- href: /microsoft-365/security/defender-endpoint/prevent-changes-to-security-settings-with-tamper-protection
- - name: Enable Block at first sight
- href: /microsoft-365/security/defender-endpoint/configure-block-at-first-sight-microsoft-defender-antivirus
- - name: Configure the cloud block timeout period
- href: /microsoft-365/security/defender-endpoint/configure-cloud-block-timeout-period-microsoft-defender-antivirus
- - name: Configure behavioral, heuristic, and real-time protection
- items:
- - name: Configuration overview
- href: /microsoft-365/security/defender-endpoint/configure-protection-features-microsoft-defender-antivirus
- - name: Detect and block Potentially Unwanted Applications
- href: /microsoft-365/security/defender-endpoint/detect-block-potentially-unwanted-apps-microsoft-defender-antivirus
- - name: Enable and configure always-on protection and monitoring
- href: /microsoft-365/security/defender-endpoint/configure-real-time-protection-microsoft-defender-antivirus
- - name: Antivirus on Windows Server
- href: /microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-on-windows-server
- - name: Antivirus compatibility
- items:
- - name: Compatibility charts
- href: /microsoft-365/security/defender-endpoint/microsoft-defender-antivirus-compatibility
- - name: Use limited periodic antivirus scanning
- href: /microsoft-365/security/defender-endpoint/limited-periodic-scanning-microsoft-defender-antivirus
- - name: Manage Microsoft Defender Antivirus in your business
- items:
- - name: Management overview
- href: /microsoft-365/security/defender-endpoint/configuration-management-reference-microsoft-defender-antivirus
- - name: Use Microsoft Intune and Microsoft Endpoint Manager to manage Microsoft Defender Antivirus
- href: /microsoft-365/security/defender-endpoint/use-intune-config-manager-microsoft-defender-antivirus
- - name: Use Group Policy settings to manage Microsoft Defender Antivirus
- href: /microsoft-365/security/defender-endpoint/use-group-policy-microsoft-defender-antivirus
- - name: Use PowerShell cmdlets to manage Microsoft Defender Antivirus
- href: /microsoft-365/security/defender-endpoint/use-powershell-cmdlets-microsoft-defender-antivirus
- - name: Use Windows Management Instrumentation (WMI) to manage Microsoft Defender Antivirus
- href: /microsoft-365/security/defender-endpoint/use-wmi-microsoft-defender-antivirus
- - name: Use the mpcmdrun.exe command line tool to manage Microsoft Defender Antivirus
- href: /microsoft-365/security/defender-endpoint/command-line-arguments-microsoft-defender-antivirus
- - name: Deploy, manage updates, and report on Microsoft Defender Antivirus
- items:
- - name: Preparing to deploy
- href: /microsoft-365/security/defender-endpoint/deploy-manage-report-microsoft-defender-antivirus
- - name: Deploy and enable Microsoft Defender Antivirus
- href: /microsoft-365/security/defender-endpoint/deploy-microsoft-defender-antivirus
- - name: Deployment guide for VDI environments
- href: /microsoft-365/security/defender-endpoint/deployment-vdi-microsoft-defender-antivirus
- - name: Report on antivirus protection
- - name: Review protection status and alerts
- href: /microsoft-365/security/defender-endpoint/report-monitor-microsoft-defender-antivirus
- - name: Troubleshoot antivirus reporting in Update Compliance
- href: /microsoft-365/security/defender-endpoint/troubleshoot-reporting
- - name: Learn about the recent updates
- href: /microsoft-365/security/defender-endpoint/manage-updates-baselines-microsoft-defender-antivirus
- - name: Manage protection and security intelligence updates
- href: /microsoft-365/security/defender-endpoint/manage-protection-updates-microsoft-defender-antivirus
- - name: Manage when protection updates should be downloaded and applied
- href: /microsoft-365/security/defender-endpoint/manage-protection-update-schedule-microsoft-defender-antivirus
- - name: Manage updates for endpoints that are out of date
- href: /microsoft-365/security/defender-endpoint/manage-outdated-endpoints-microsoft-defender-antivirus
- - name: Manage event-based forced updates
- href: /microsoft-365/security/defender-endpoint/manage-event-based-updates-microsoft-defender-antivirus
- - name: Manage updates for mobile devices and VMs
- href: /microsoft-365/security/defender-endpoint/manage-updates-mobile-devices-vms-microsoft-defender-antivirus
- - name: Customize, initiate, and review the results of scans and remediation
- items:
- - name: Configuration overview
- href: /microsoft-365/security/defender-endpoint/customize-run-review-remediate-scans-microsoft-defender-antivirus
- - name: Configure and validate exclusions in antivirus scans
- href: /microsoft-365/security/defender-endpoint/configure-exclusions-microsoft-defender-antivirus
- - name: Configure and validate exclusions based on file name, extension, and folder location
- href: /microsoft-365/security/defender-endpoint/configure-extension-file-exclusions-microsoft-defender-antivirus
- - name: Configure and validate exclusions for files opened by processes
- href: /microsoft-365/security/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus
- - name: Configure antivirus exclusions Windows Server
- href: /microsoft-365/security/defender-endpoint/configure-server-exclusions-microsoft-defender-antivirus
- - name: Common mistakes when defining exclusions
- href: /microsoft-365/security/defender-endpoint/common-exclusion-mistakes-microsoft-defender-antivirus
- - name: Configure scanning antivirus options
- href: /microsoft-365/security/defender-endpoint/configure-advanced-scan-types-microsoft-defender-antivirus
- - name: Configure remediation for scans
- href: /microsoft-365/security/defender-endpoint/configure-remediation-microsoft-defender-antivirus
- - name: Configure scheduled scans
- href: /microsoft-365/security/defender-endpoint/scheduled-catch-up-scans-microsoft-defender-antivirus
- - name: Configure and run scans
- href: /microsoft-365/security/defender-endpoint/run-scan-microsoft-defender-antivirus
- - name: Review scan results
- href: /microsoft-365/security/defender-endpoint/review-scan-results-microsoft-defender-antivirus
- - name: Run and review the results of an offline scan
- href: /microsoft-365/security/defender-endpoint//microsoft-defender-offline
- - name: Restore quarantined files
- href: /microsoft-365/security/defender-endpoint/restore-quarantined-files-microsoft-defender-antivirus
- - name: Manage scans and remediation
- items:
- - name: Management overview
- href: /microsoft-365/security/defender-endpoint/customize-run-review-remediate-scans-microsoft-defender-antivirus
- - name: Configure and validate exclusions in antivirus scans
- - name: Exclusions overview
- href: /microsoft-365/security/defender-endpoint/configure-exclusions-microsoft-defender-antivirus
- - name: Configure and validate exclusions based on file name, extension, and folder location
- href: /microsoft-365/security/defender-endpoint/configure-extension-file-exclusions-microsoft-defender-antivirus
- - name: Configure and validate exclusions for files opened by processes
- href: /microsoft-365/security/defender-endpoint/configure-process-opened-file-exclusions-microsoft-defender-antivirus
- - name: Configure antivirus exclusions on Windows Server
- href: /microsoft-365/security/defender-endpoint/configure-server-exclusions-microsoft-defender-antivirus
- - name: Configure scanning options
- href: /microsoft-365/security/defender-endpoint/configure-advanced-scan-types-microsoft-defender-antivirus
- - name: Configure remediation for scans
- href: /microsoft-365/security/defender-endpoint/configure-remediation-microsoft-defender-antivirus
- items:
- - name: Configure scheduled scans
- href: /microsoft-365/security/defender-endpoint/scheduled-catch-up-scans-microsoft-defender-antivirus
- - name: Configure and run scans
- href: /microsoft-365/security/defender-endpoint/run-scan-microsoft-defender-antivirus
- - name: Review scan results
- href: /microsoft-365/security/defender-endpoint/review-scan-results-microsoft-defender-antivirus
- - name: Run and review the results of an offline scan
- href: /microsoft-365/security/defender-endpoint/microsoft-defender-offline
- - name: Restore quarantined files
- href: /microsoft-365/security/defender-endpoint/restore-quarantined-files-microsoft-defender-antivirus
- - name: Troubleshoot Microsoft Defender Antivirus
- items:
- - name: Troubleshoot Microsoft Defender Antivirus issues
- href: /microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus
- - name: Troubleshoot Microsoft Defender Antivirus migration issues
- href: /microsoft-365/security/defender-endpoint/troubleshoot-microsoft-defender-antivirus-when-migrating
- - name: "Better together: Microsoft Defender Antivirus and Microsoft Defender for Endpoint"
- href: /microsoft-365/security/defender-endpoint/why-use-microsoft-defender-antivirus
- - name: "Better together: Microsoft Defender Antivirus and Office 365"
- href: /microsoft-365/security/defender-endpoint/office-365-microsoft-defender-antivirus
- - name: Hardware-based isolation
- items:
- - name: Hardware-based isolation evaluation
- href: microsoft-defender-application-guard/test-scenarios-md-app-guard.md
- - name: Application isolation
- items:
- - name: Application guard overview
- href: microsoft-defender-application-guard/md-app-guard-overview.md
- - name: System requirements
- href: microsoft-defender-application-guard/reqs-md-app-guard.md
- - name: Install Microsoft Defender Application Guard
- href: microsoft-defender-application-guard/install-md-app-guard.md
- - name: Install Microsoft Defender Application Guard Extension
- href: microsoft-defender-application-guard/md-app-guard-browser-extension.md
- - name: Application control
- href: windows-defender-application-control/windows-defender-application-control.md
- items:
- - name: Audit Application control policies
- href: windows-defender-application-control/audit-windows-defender-application-control-policies.md
- - name: System isolation
- href: windows-defender-system-guard/system-guard-secure-launch-and-smm-protection.md
- - name: System integrity
- href: windows-defender-system-guard/system-guard-how-hardware-based-root-of-trust-helps-protect-windows.md
- - name: Code integrity
- href: device-guard/enable-virtualization-based-protection-of-code-integrity.md
- - name: Network firewall
- items:
- - name: Network firewall overview
- href: windows-firewall/windows-firewall-with-advanced-security.md
- - name: Network firewall evaluation
- href: windows-firewall/evaluating-windows-firewall-with-advanced-security-design-examples.md
- - name: Security intelligence
- href: intelligence/index.md
- items:
- - name: Understand malware & other threats
- href: intelligence/understanding-malware.md
- items:
- - name: Prevent malware infection
- href: intelligence/prevent-malware-infection.md
- - name: Malware names
- href: intelligence/malware-naming.md
- - name: Coin miners
- href: intelligence/coinminer-malware.md
- - name: Exploits and exploit kits
- href: intelligence/exploits-malware.md
- - name: Fileless threats
- href: intelligence/fileless-threats.md
- - name: Macro malware
- href: intelligence/macro-malware.md
- - name: Phishing
- href: intelligence/phishing.md
- - name: Ransomware
- href: /security/compass/human-operated-ransomware
- - name: Rootkits
- href: intelligence/rootkits-malware.md
- - name: Supply chain attacks
- href: intelligence/supply-chain-malware.md
- - name: Tech support scams
- href: intelligence/support-scams.md
- - name: Trojans
- href: intelligence/trojans-malware.md
- - name: Unwanted software
- href: intelligence/unwanted-software.md
- - name: Worms
- href: intelligence/worms-malware.md
- - name: How Microsoft identifies malware and PUA
- href: intelligence/criteria.md
- - name: Submit files for analysis
- href: intelligence/submission-guide.md
- - name: Safety Scanner download
- href: intelligence/safety-scanner-download.md
- - name: Industry collaboration programs
- href: intelligence/cybersecurity-industry-partners.md
- items:
- - name: Virus information alliance
- href: intelligence/virus-information-alliance-criteria.md
- - name: Microsoft virus initiative
- href: intelligence/virus-initiative-criteria.md
- - name: Coordinated malware eradication
- href: intelligence/coordinated-malware-eradication.md
- - name: Information for developers
- items:
- - name: Software developer FAQ
- href: intelligence/developer-faq.yml
- - name: Software developer resources
- href: intelligence/developer-resources.md
- - name: The Windows Security app
- href: windows-defender-security-center/windows-defender-security-center.md
- items:
- - name: Customize the Windows Security app for your organization
- href: windows-defender-security-center/wdsc-customize-contact-information.md
- - name: Hide Windows Security app notifications
- href: windows-defender-security-center/wdsc-hide-notifications.md
- - name: Manage Windows Security app in Windows 10 in S mode
- href: windows-defender-security-center/wdsc-windows-10-in-s-mode.md
- - name: Virus and threat protection
- href: windows-defender-security-center/wdsc-virus-threat-protection.md
- - name: Account protection
- href: windows-defender-security-center/wdsc-account-protection.md
- - name: Firewall and network protection
- href: windows-defender-security-center/wdsc-firewall-network-protection.md
- - name: App and browser control
- href: windows-defender-security-center/wdsc-app-browser-control.md
- - name: Device security
- href: windows-defender-security-center/wdsc-device-security.md
- - name: Device performance and health
- href: windows-defender-security-center/wdsc-device-performance-health.md
- items:
- - name: Family options
- href: windows-defender-security-center/wdsc-family-options.md
- - name: Microsoft Defender SmartScreen
- href: microsoft-defender-smartscreen/microsoft-defender-smartscreen-overview.md
- items:
- - name: Microsoft Defender SmartScreen Group Policy and mobile device management (MDM) settings
- href: microsoft-defender-smartscreen/microsoft-defender-smartscreen-available-settings.md
- - name: Set up and use Microsoft Defender SmartScreen on individual devices
- href: microsoft-defender-smartscreen/microsoft-defender-smartscreen-set-individual-device.md
- - name: Windows Sandbox
- href: windows-sandbox/windows-sandbox-overview.md
- items:
- - name: Windows Sandbox architecture
- href: windows-sandbox/windows-sandbox-architecture.md
- - name: Windows Sandbox configuration
- href: windows-sandbox/windows-sandbox-configure-using-wsb-file.md
- - name: "Windows Defender Application Control and virtualization-based protection of code integrity"
- href: device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md
- - name: Windows Certifications
- items:
- - name: FIPS 140 Validations
- href: fips-140-validation.md
- - name: Common Criteria Certifications
- href: windows-platform-common-criteria.md
- - name: More Windows 10 security
- items:
- - name: Control the health of Windows 10-based devices
- href: protect-high-value-assets-by-controlling-the-health-of-windows-10-based-devices.md
- - name: Mitigate threats by using Windows 10 security features
- href: overview-of-threat-mitigations-in-windows-10.md
- - name: Override Process Mitigation Options to help enforce app-related security policies
- href: override-mitigation-options-for-app-related-security-policies.md
- - name: Use Windows Event Forwarding to help with intrusion detection
- href: use-windows-event-forwarding-to-assist-in-intrusion-detection.md
- - name: Block untrusted fonts in an enterprise
- href: block-untrusted-fonts-in-enterprise.md
- - name: Security auditing
- href: auditing/security-auditing-overview.md
- items:
- - name: Basic security audit policies
- href: auditing/basic-security-audit-policies.md
- items:
- - name: Create a basic audit policy for an event category
- href: auditing/create-a-basic-audit-policy-settings-for-an-event-category.md
- - name: Apply a basic audit policy on a file or folder
- href: auditing/apply-a-basic-audit-policy-on-a-file-or-folder.md
- - name: View the security event log
- href: auditing/view-the-security-event-log.md
- - name: Basic security audit policy settings
- href: auditing/basic-security-audit-policy-settings.md
- items:
- - name: Audit account logon events
- href: auditing/basic-audit-account-logon-events.md
- - name: Audit account management
- href: auditing/basic-audit-account-management.md
- - name: Audit directory service access
- href: auditing/basic-audit-directory-service-access.md
- - name: Audit logon events
- href: auditing/basic-audit-logon-events.md
- - name: Audit object access
- href: auditing/basic-audit-object-access.md
- - name: Audit policy change
- href: auditing/basic-audit-policy-change.md
- - name: Audit privilege use
- href: auditing/basic-audit-privilege-use.md
- - name: Audit process tracking
- href: auditing/basic-audit-process-tracking.md
- - name: Audit system events
- href: auditing/basic-audit-system-events.md
- - name: Advanced security audit policies
- href: auditing/advanced-security-auditing.md
- items:
- - name: Planning and deploying advanced security audit policies
- href: auditing/planning-and-deploying-advanced-security-audit-policies.md
- - name: Advanced security auditing FAQ
- href: auditing/advanced-security-auditing-faq.yml
- items:
- - name: Which editions of Windows support advanced audit policy configuration
- href: auditing/which-editions-of-windows-support-advanced-audit-policy-configuration.md
- - name: How to list XML elements in \
For other events we strongly recommend monitoring an allow list of allowed security extensions (authenticated packages, logon processes, notification packages, and security packages). Otherwise it's hard to pull useful information from these events, except event 4611 which typically should have “SYSTEM” as value for **“Subject”** field.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
-| Member Server | Yes | No | Yes | No | The main reason why we recommend Success auditing for this subcategory is “[4697](event-4697.md)(S): A service was installed in the system.”
For other events we strongly recommend monitoring an allow list of allowed security extensions (authenticated packages, logon processes, notification packages, and security packages). Otherwise it's hard to pull useful information from these events, except event 4611 which typically should display “SYSTEM” for the **“Subject”** field.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
-| Workstation | Yes | No | Yes | No | The main reason why we recommend Success auditing for this subcategory is “[4697](event-4697.md)(S): A service was installed in the system.”
For other events we strongly recommend monitoring an allow list of allowed security extensions (authenticated packages, logon processes, notification packages, and security packages). Otherwise it's hard to pull useful information from these events, except event 4611 which typically should display “SYSTEM” for the **“Subject”** field.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
+| Domain Controller | Yes | No | Yes | No | The main reason why we recommend Success auditing for this subcategory is “[4697](event-4697.md)(S): A service was installed in the system.”
For other events, we strongly recommend monitoring an allowlist of allowed security extensions (authenticated packages, logon processes, notification packages, and security packages). Otherwise it's hard to pull useful information from these events, except event 4611 which typically should have “SYSTEM” as value for **“Subject”** field.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
+| Member Server | Yes | No | Yes | No | The main reason why we recommend Success auditing for this subcategory is “[4697](event-4697.md)(S): A service was installed in the system.”
For other events, we strongly recommend monitoring an allowlist of allowed security extensions (authenticated packages, logon processes, notification packages, and security packages). Otherwise it's hard to pull useful information from these events, except event 4611 which typically should display “SYSTEM” for the **“Subject”** field.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
+| Workstation | Yes | No | Yes | No | The main reason why we recommend Success auditing for this subcategory is “[4697](event-4697.md)(S): A service was installed in the system.”
For other events, we strongly recommend monitoring an allowlist of allowed security extensions (authenticated packages, logon processes, notification packages, and security packages). Otherwise it's hard to pull useful information from these events, except event 4611 which typically should display “SYSTEM” for the **“Subject”** field.
This subcategory doesn’t have Failure events, so there is no recommendation to enable Failure auditing for this subcategory. |
**Events List:**
diff --git a/windows/security/threat-protection/auditing/audit-sensitive-privilege-use.md b/windows/security/threat-protection/auditing/audit-sensitive-privilege-use.md
index fe6ad3206b..d2929dbc8b 100644
--- a/windows/security/threat-protection/auditing/audit-sensitive-privilege-use.md
+++ b/windows/security/threat-protection/auditing/audit-sensitive-privilege-use.md
@@ -11,16 +11,12 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/06/2021
ms.technology: mde
---
# Audit Sensitive Privilege Use
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
Audit Sensitive Privilege Use contains events that show the usage of sensitive privileges. This is the list of sensitive privileges:
diff --git a/windows/security/threat-protection/auditing/audit-special-logon.md b/windows/security/threat-protection/auditing/audit-special-logon.md
index c852e45990..a2c7e6fe4c 100644
--- a/windows/security/threat-protection/auditing/audit-special-logon.md
+++ b/windows/security/threat-protection/auditing/audit-special-logon.md
@@ -11,16 +11,12 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/06/2021
ms.technology: mde
---
# Audit Special Logon
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
Audit Special Logon determines whether the operating system generates audit events under special sign on (or log on) circumstances.
diff --git a/windows/security/threat-protection/auditing/audit-system-integrity.md b/windows/security/threat-protection/auditing/audit-system-integrity.md
index f9be77c1eb..d88432587a 100644
--- a/windows/security/threat-protection/auditing/audit-system-integrity.md
+++ b/windows/security/threat-protection/auditing/audit-system-integrity.md
@@ -11,16 +11,12 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/06/2021
ms.technology: mde
---
# Audit System Integrity
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
Audit System Integrity determines whether the operating system audits events that violate the integrity of the security subsystem.
diff --git a/windows/security/threat-protection/auditing/audit-token-right-adjusted.md b/windows/security/threat-protection/auditing/audit-token-right-adjusted.md
index c53c887d1f..51362e65a8 100644
--- a/windows/security/threat-protection/auditing/audit-token-right-adjusted.md
+++ b/windows/security/threat-protection/auditing/audit-token-right-adjusted.md
@@ -11,10 +11,6 @@ ms.technology: mde
# Audit Token Right Adjusted
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
Audit Token Right Adjusted allows you to audit events generated by adjusting the privileges of a token.
diff --git a/windows/security/threat-protection/auditing/audit-user-account-management.md b/windows/security/threat-protection/auditing/audit-user-account-management.md
index 145e04e477..97b551d31a 100644
--- a/windows/security/threat-protection/auditing/audit-user-account-management.md
+++ b/windows/security/threat-protection/auditing/audit-user-account-management.md
@@ -11,16 +11,12 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/06/2021
ms.technology: mde
---
# Audit User Account Management
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
Audit User Account Management determines whether the operating system generates audit events when specific user account management tasks are performed.
diff --git a/windows/security/threat-protection/auditing/audit-user-device-claims.md b/windows/security/threat-protection/auditing/audit-user-device-claims.md
index 6051e50d2f..f5b3b71fa8 100644
--- a/windows/security/threat-protection/auditing/audit-user-device-claims.md
+++ b/windows/security/threat-protection/auditing/audit-user-device-claims.md
@@ -11,16 +11,12 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/06/2021
ms.technology: mde
---
# Audit User/Device Claims
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
Audit User/Device Claims allows you to audit user and device claims information in the account’s logon token. Events in this subcategory are generated on the computer on which a logon session is created. For an interactive logon, the security audit event is generated on the computer that the user logged on to.
diff --git a/windows/security/threat-protection/auditing/basic-audit-account-logon-events.md b/windows/security/threat-protection/auditing/basic-audit-account-logon-events.md
index 7e9d098f5d..9e83b22f8e 100644
--- a/windows/security/threat-protection/auditing/basic-audit-account-logon-events.md
+++ b/windows/security/threat-protection/auditing/basic-audit-account-logon-events.md
@@ -14,14 +14,12 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/19/2017
+ms.date: 09/06/2021
ms.technology: mde
---
# Audit account logon events
-**Applies to**
-- Windows 10
Determines whether to audit each instance of a user logging on to or logging off from another device in which this device is used to validate the account.
diff --git a/windows/security/threat-protection/auditing/basic-audit-account-management.md b/windows/security/threat-protection/auditing/basic-audit-account-management.md
index 5541fc0f63..e438366e30 100644
--- a/windows/security/threat-protection/auditing/basic-audit-account-management.md
+++ b/windows/security/threat-protection/auditing/basic-audit-account-management.md
@@ -14,14 +14,12 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/19/2017
+ms.date: 09/06/2021
ms.technology: mde
---
# Audit account management
-**Applies to**
-- Windows 10
Determines whether to audit each event of account management on a device.
diff --git a/windows/security/threat-protection/auditing/basic-audit-directory-service-access.md b/windows/security/threat-protection/auditing/basic-audit-directory-service-access.md
index e52e2e7382..fb18731a64 100644
--- a/windows/security/threat-protection/auditing/basic-audit-directory-service-access.md
+++ b/windows/security/threat-protection/auditing/basic-audit-directory-service-access.md
@@ -14,14 +14,12 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/19/2017
+ms.date: 09/06/2021
ms.technology: mde
---
# Audit directory service access
-**Applies to**
-- Windows 10
Determines whether to audit the event of a user accessing an Active Directory object that has its own system access control list (SACL) specified.
diff --git a/windows/security/threat-protection/auditing/basic-audit-logon-events.md b/windows/security/threat-protection/auditing/basic-audit-logon-events.md
index c730790cfa..569a8335dd 100644
--- a/windows/security/threat-protection/auditing/basic-audit-logon-events.md
+++ b/windows/security/threat-protection/auditing/basic-audit-logon-events.md
@@ -14,14 +14,12 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/19/2017
+ms.date: 09/06/2021
ms.technology: mde
---
# Audit logon events
-**Applies to**
-- Windows 10
Determines whether to audit each instance of a user logging on to or logging off from a device.
diff --git a/windows/security/threat-protection/auditing/basic-audit-object-access.md b/windows/security/threat-protection/auditing/basic-audit-object-access.md
index 7bb1357af3..3cc432b64b 100644
--- a/windows/security/threat-protection/auditing/basic-audit-object-access.md
+++ b/windows/security/threat-protection/auditing/basic-audit-object-access.md
@@ -14,14 +14,12 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/19/2017
+ms.date: 09/06/2021
ms.technology: mde
---
# Audit object access
-**Applies to**
-- Windows 10
Determines whether to audit the event of a user accessing an object--for example, a file, folder, registry key, printer, and so forth--that has its own system access control list (SACL) specified.
diff --git a/windows/security/threat-protection/auditing/basic-audit-policy-change.md b/windows/security/threat-protection/auditing/basic-audit-policy-change.md
index a04167e8c2..3e7cc6a8ea 100644
--- a/windows/security/threat-protection/auditing/basic-audit-policy-change.md
+++ b/windows/security/threat-protection/auditing/basic-audit-policy-change.md
@@ -14,14 +14,12 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/19/2017
+ms.date: 09/06/2021
ms.technology: mde
---
# Audit policy change
-**Applies to**
-- Windows 10
Determines whether to audit every incident of a change to user rights assignment policies, audit policies, or trust policies.
diff --git a/windows/security/threat-protection/auditing/basic-audit-privilege-use.md b/windows/security/threat-protection/auditing/basic-audit-privilege-use.md
index 4b6a28a415..ff6e5dff98 100644
--- a/windows/security/threat-protection/auditing/basic-audit-privilege-use.md
+++ b/windows/security/threat-protection/auditing/basic-audit-privilege-use.md
@@ -14,14 +14,12 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/19/2017
+ms.date: 09/06/2021
ms.technology: mde
---
# Audit privilege use
-**Applies to**
-- Windows 10
Determines whether to audit each instance of a user exercising a user right.
diff --git a/windows/security/threat-protection/auditing/basic-audit-process-tracking.md b/windows/security/threat-protection/auditing/basic-audit-process-tracking.md
index c2e1ff94ca..a7f08b9c20 100644
--- a/windows/security/threat-protection/auditing/basic-audit-process-tracking.md
+++ b/windows/security/threat-protection/auditing/basic-audit-process-tracking.md
@@ -14,14 +14,12 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/19/2017
+ms.date: 09/06/2021
ms.technology: mde
---
# Audit process tracking
-**Applies to**
-- Windows 10
Determines whether to audit detailed tracking information for events such as program activation, process exit, handle duplication, and indirect object access.
diff --git a/windows/security/threat-protection/auditing/basic-audit-system-events.md b/windows/security/threat-protection/auditing/basic-audit-system-events.md
index 8c5e33028e..4201c2447f 100644
--- a/windows/security/threat-protection/auditing/basic-audit-system-events.md
+++ b/windows/security/threat-protection/auditing/basic-audit-system-events.md
@@ -14,14 +14,12 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/19/2017
+ms.date: 09/06/2021
ms.technology: mde
---
# Audit system events
-**Applies to**
-- Windows 10
Determines whether to audit when a user restarts or shuts down the computer or when an event occurs that affects either the system security or the security log.
diff --git a/windows/security/threat-protection/auditing/basic-security-audit-policies.md b/windows/security/threat-protection/auditing/basic-security-audit-policies.md
index fd291c792a..012b98550f 100644
--- a/windows/security/threat-protection/auditing/basic-security-audit-policies.md
+++ b/windows/security/threat-protection/auditing/basic-security-audit-policies.md
@@ -14,14 +14,12 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/19/2017
+ms.date: 09/06/2021
ms.technology: mde
---
# Basic security audit policies
-**Applies to**
-- Windows 10
Before you implement auditing, you must decide on an auditing policy. A basic audit policy specifies categories of security-related events that you want to audit. When this version of Windows is first installed, all auditing categories are disabled. By enabling various auditing event categories, you can implement an auditing policy that suits the security needs of your organization.
diff --git a/windows/security/threat-protection/auditing/basic-security-audit-policy-settings.md b/windows/security/threat-protection/auditing/basic-security-audit-policy-settings.md
index 0ddb0a6152..0b56e07522 100644
--- a/windows/security/threat-protection/auditing/basic-security-audit-policy-settings.md
+++ b/windows/security/threat-protection/auditing/basic-security-audit-policy-settings.md
@@ -14,14 +14,12 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/19/2017
+ms.date: 09/06/2021
ms.technology: mde
---
# Basic security audit policy settings
-**Applies to**
-- Windows 10
Basic security audit policy settings are found under Computer Configuration\\Windows Settings\\Security Settings\\Local Policies\\Audit Policy.
diff --git a/windows/security/threat-protection/auditing/create-a-basic-audit-policy-settings-for-an-event-category.md b/windows/security/threat-protection/auditing/create-a-basic-audit-policy-settings-for-an-event-category.md
index 526946d4b5..054ff9b595 100644
--- a/windows/security/threat-protection/auditing/create-a-basic-audit-policy-settings-for-an-event-category.md
+++ b/windows/security/threat-protection/auditing/create-a-basic-audit-policy-settings-for-an-event-category.md
@@ -14,14 +14,12 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.technology: mde
---
# Create a basic audit policy for an event category
-**Applies to**
-- Windows 10
By defining auditing settings for specific event categories, you can create an auditing policy that suits the security needs of your organization. On devices that are joined to a domain, auditing settings for the event categories are undefined by default. On domain controllers, auditing is turned on by default.
diff --git a/windows/security/threat-protection/auditing/event-1100.md b/windows/security/threat-protection/auditing/event-1100.md
index f3fbd46308..c8ac91b393 100644
--- a/windows/security/threat-protection/auditing/event-1100.md
+++ b/windows/security/threat-protection/auditing/event-1100.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 1100(S): The event logging service has shut down.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-1102.md b/windows/security/threat-protection/auditing/event-1102.md
index fecf1badde..02ac9384e5 100644
--- a/windows/security/threat-protection/auditing/event-1102.md
+++ b/windows/security/threat-protection/auditing/event-1102.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 1102(S): The audit log was cleared.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-1104.md b/windows/security/threat-protection/auditing/event-1104.md
index 8d6a8dfd16..0c5e2917af 100644
--- a/windows/security/threat-protection/auditing/event-1104.md
+++ b/windows/security/threat-protection/auditing/event-1104.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 1104(S): The security log is now full.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-1105.md b/windows/security/threat-protection/auditing/event-1105.md
index ca327249e4..1aeaa58c8e 100644
--- a/windows/security/threat-protection/auditing/event-1105.md
+++ b/windows/security/threat-protection/auditing/event-1105.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 1105(S): Event log automatic backup
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-1108.md b/windows/security/threat-protection/auditing/event-1108.md
index 440e411f38..1a7f0cbd1e 100644
--- a/windows/security/threat-protection/auditing/event-1108.md
+++ b/windows/security/threat-protection/auditing/event-1108.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 1108(S): The event logging service encountered an error while processing an incoming event published from %1.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4608.md b/windows/security/threat-protection/auditing/event-4608.md
index 6372e6acc2..255036037d 100644
--- a/windows/security/threat-protection/auditing/event-4608.md
+++ b/windows/security/threat-protection/auditing/event-4608.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4608(S): Windows is starting up.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4610.md b/windows/security/threat-protection/auditing/event-4610.md
index aba324fd61..2249612819 100644
--- a/windows/security/threat-protection/auditing/event-4610.md
+++ b/windows/security/threat-protection/auditing/event-4610.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4610(S): An authentication package has been loaded by the Local Security Authority.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4611.md b/windows/security/threat-protection/auditing/event-4611.md
index 50583e6f70..b4ce0a9d8d 100644
--- a/windows/security/threat-protection/auditing/event-4611.md
+++ b/windows/security/threat-protection/auditing/event-4611.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4611(S): A trusted logon process has been registered with the Local Security Authority.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4612.md b/windows/security/threat-protection/auditing/event-4612.md
index c4561550d5..aa8b9ecc61 100644
--- a/windows/security/threat-protection/auditing/event-4612.md
+++ b/windows/security/threat-protection/auditing/event-4612.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4612(S): Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
This event is generated when audit queues are filled and events must be discarded. This most commonly occurs when security events are being generated faster than they are being written to disk.
diff --git a/windows/security/threat-protection/auditing/event-4614.md b/windows/security/threat-protection/auditing/event-4614.md
index ca4c161420..959ef959e9 100644
--- a/windows/security/threat-protection/auditing/event-4614.md
+++ b/windows/security/threat-protection/auditing/event-4614.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4614(S): A notification package has been loaded by the Security Account Manager.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4615.md b/windows/security/threat-protection/auditing/event-4615.md
index 6c8f9cd7ac..82dbd7d648 100644
--- a/windows/security/threat-protection/auditing/event-4615.md
+++ b/windows/security/threat-protection/auditing/event-4615.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4615(S): Invalid use of LPC port.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
It appears that this event never occurs.
diff --git a/windows/security/threat-protection/auditing/event-4616.md b/windows/security/threat-protection/auditing/event-4616.md
index 690bde945f..2fc4b43b2c 100644
--- a/windows/security/threat-protection/auditing/event-4616.md
+++ b/windows/security/threat-protection/auditing/event-4616.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4616(S): The system time was changed.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4618.md b/windows/security/threat-protection/auditing/event-4618.md
index c1bc41f942..baa0727774 100644
--- a/windows/security/threat-protection/auditing/event-4618.md
+++ b/windows/security/threat-protection/auditing/event-4618.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4618(S): A monitored security event pattern has occurred.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
***Subcategory:*** [Audit System Integrity](audit-system-integrity.md)
diff --git a/windows/security/threat-protection/auditing/event-4621.md b/windows/security/threat-protection/auditing/event-4621.md
index 9ffb0fee15..d3475dbb08 100644
--- a/windows/security/threat-protection/auditing/event-4621.md
+++ b/windows/security/threat-protection/auditing/event-4621.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,9 +16,6 @@ ms.technology: mde
# 4621(S): Administrator recovered system from CrashOnAuditFail.
-**Applies to**
-- Windows 10
-- Windows Server 2016
This event is logged after a system reboots following [CrashOnAuditFail](/previous-versions/windows/it-pro/windows-2000-server/cc963220(v=technet.10)?f=255&MSPPError=-2147217396). It generates when CrashOnAuditFail = 2.
diff --git a/windows/security/threat-protection/auditing/event-4622.md b/windows/security/threat-protection/auditing/event-4622.md
index 46f54afcca..5404c4491b 100644
--- a/windows/security/threat-protection/auditing/event-4622.md
+++ b/windows/security/threat-protection/auditing/event-4622.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4622(S): A security package has been loaded by the Local Security Authority.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
@@ -101,4 +97,4 @@ These are some Security Package DLLs loaded by default in Windows 10:
For 4622(S): A security package has been loaded by the Local Security Authority.
-- Typically this event has an informational purpose. If you defined the list of allowed Security Packages in the system, then you can check is “**Security Package Name”** field value in the allow list or not.
\ No newline at end of file
+- Typically this event has an informational purpose. If you defined the list of allowed Security Packages in the system, then you can check is “**Security Package Name”** field value in the allowlist or not.
\ No newline at end of file
diff --git a/windows/security/threat-protection/auditing/event-4624.md b/windows/security/threat-protection/auditing/event-4624.md
index a61449dada..6a36fda6d7 100644
--- a/windows/security/threat-protection/auditing/event-4624.md
+++ b/windows/security/threat-protection/auditing/event-4624.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4624(S): An account was successfully logged on.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4625.md b/windows/security/threat-protection/auditing/event-4625.md
index d613787ba3..ec92960ecc 100644
--- a/windows/security/threat-protection/auditing/event-4625.md
+++ b/windows/security/threat-protection/auditing/event-4625.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4625(F): An account failed to log on.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4626.md b/windows/security/threat-protection/auditing/event-4626.md
index 667de4c561..1aba2f1f3b 100644
--- a/windows/security/threat-protection/auditing/event-4626.md
+++ b/windows/security/threat-protection/auditing/event-4626.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4626(S): User/Device claims information.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4627.md b/windows/security/threat-protection/auditing/event-4627.md
index 4a4fce1919..8ad79efcb2 100644
--- a/windows/security/threat-protection/auditing/event-4627.md
+++ b/windows/security/threat-protection/auditing/event-4627.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4627(S): Group membership information.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4634.md b/windows/security/threat-protection/auditing/event-4634.md
index b0541e2dbb..16bf3e049d 100644
--- a/windows/security/threat-protection/auditing/event-4634.md
+++ b/windows/security/threat-protection/auditing/event-4634.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 11/20/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4634(S): An account was logged off.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4647.md b/windows/security/threat-protection/auditing/event-4647.md
index 14dc2a7083..01428dba45 100644
--- a/windows/security/threat-protection/auditing/event-4647.md
+++ b/windows/security/threat-protection/auditing/event-4647.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4647(S): User initiated logoff.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4648.md b/windows/security/threat-protection/auditing/event-4648.md
index 44eb565de4..8d81d41573 100644
--- a/windows/security/threat-protection/auditing/event-4648.md
+++ b/windows/security/threat-protection/auditing/event-4648.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4648(S): A logon was attempted using explicit credentials.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4649.md b/windows/security/threat-protection/auditing/event-4649.md
index 06ae9ca1aa..75f1bf3c96 100644
--- a/windows/security/threat-protection/auditing/event-4649.md
+++ b/windows/security/threat-protection/auditing/event-4649.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4649(S): A replay attack was detected.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
This event generates on domain controllers when **KRB\_AP\_ERR\_REPEAT** Kerberos response was sent to the client.
diff --git a/windows/security/threat-protection/auditing/event-4656.md b/windows/security/threat-protection/auditing/event-4656.md
index 7332ad06b8..7aee847e93 100644
--- a/windows/security/threat-protection/auditing/event-4656.md
+++ b/windows/security/threat-protection/auditing/event-4656.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4656(S, F): A handle to an object was requested.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4657.md b/windows/security/threat-protection/auditing/event-4657.md
index e0d0985203..39cb4e6052 100644
--- a/windows/security/threat-protection/auditing/event-4657.md
+++ b/windows/security/threat-protection/auditing/event-4657.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4657(S): A registry value was modified.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4658.md b/windows/security/threat-protection/auditing/event-4658.md
index 85b56fb6d0..0acb8a0b2f 100644
--- a/windows/security/threat-protection/auditing/event-4658.md
+++ b/windows/security/threat-protection/auditing/event-4658.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4658(S): The handle to an object was closed.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4660.md b/windows/security/threat-protection/auditing/event-4660.md
index 7a921090fd..871435d568 100644
--- a/windows/security/threat-protection/auditing/event-4660.md
+++ b/windows/security/threat-protection/auditing/event-4660.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4660(S): An object was deleted.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4661.md b/windows/security/threat-protection/auditing/event-4661.md
index 27afd56d00..77da9a1780 100644
--- a/windows/security/threat-protection/auditing/event-4661.md
+++ b/windows/security/threat-protection/auditing/event-4661.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4661(S, F): A handle to an object was requested.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4662.md b/windows/security/threat-protection/auditing/event-4662.md
index b9d488c090..7950f49912 100644
--- a/windows/security/threat-protection/auditing/event-4662.md
+++ b/windows/security/threat-protection/auditing/event-4662.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4662(S, F): An operation was performed on an object.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4663.md b/windows/security/threat-protection/auditing/event-4663.md
index efa297ac08..d85a14bddf 100644
--- a/windows/security/threat-protection/auditing/event-4663.md
+++ b/windows/security/threat-protection/auditing/event-4663.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4663(S): An attempt was made to access an object.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4664.md b/windows/security/threat-protection/auditing/event-4664.md
index 9c99e5f2bc..36c3d8aa08 100644
--- a/windows/security/threat-protection/auditing/event-4664.md
+++ b/windows/security/threat-protection/auditing/event-4664.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4664(S): An attempt was made to create a hard link.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4670.md b/windows/security/threat-protection/auditing/event-4670.md
index ea7d4dcf1e..0f070cd8f8 100644
--- a/windows/security/threat-protection/auditing/event-4670.md
+++ b/windows/security/threat-protection/auditing/event-4670.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4670(S): Permissions on an object were changed.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4671.md b/windows/security/threat-protection/auditing/event-4671.md
index fb46f1fb5a..cc53508b8f 100644
--- a/windows/security/threat-protection/auditing/event-4671.md
+++ b/windows/security/threat-protection/auditing/event-4671.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,11 +16,7 @@ ms.technology: mde
# 4671(-): An application attempted to access a blocked ordinal through the TBS.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
-
+*
Currently this event doesn’t generate. It is a defined event, but it is never invoked by the operating system.
***Subcategory:*** [Audit Other Object Access Events](audit-other-object-access-events.md)
diff --git a/windows/security/threat-protection/auditing/event-4672.md b/windows/security/threat-protection/auditing/event-4672.md
index 479e31207b..3e563025ba 100644
--- a/windows/security/threat-protection/auditing/event-4672.md
+++ b/windows/security/threat-protection/auditing/event-4672.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 12/20/2018
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4672(S): Special privileges assigned to new logon.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4673.md b/windows/security/threat-protection/auditing/event-4673.md
index cf5ef8d500..82e7ac1332 100644
--- a/windows/security/threat-protection/auditing/event-4673.md
+++ b/windows/security/threat-protection/auditing/event-4673.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4673(S, F): A privileged service was called.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4674.md b/windows/security/threat-protection/auditing/event-4674.md
index 734ce174c2..7a4b1a3654 100644
--- a/windows/security/threat-protection/auditing/event-4674.md
+++ b/windows/security/threat-protection/auditing/event-4674.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4674(S, F): An operation was attempted on a privileged object.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4675.md b/windows/security/threat-protection/auditing/event-4675.md
index 0af7742f2c..f2a5d0c97e 100644
--- a/windows/security/threat-protection/auditing/event-4675.md
+++ b/windows/security/threat-protection/auditing/event-4675.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4675(S): SIDs were filtered.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
This event generates when SIDs were filtered for specific Active Directory trust.
diff --git a/windows/security/threat-protection/auditing/event-4688.md b/windows/security/threat-protection/auditing/event-4688.md
index fbb93d7b9b..12b9206a7f 100644
--- a/windows/security/threat-protection/auditing/event-4688.md
+++ b/windows/security/threat-protection/auditing/event-4688.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4688(S): A new process has been created.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4689.md b/windows/security/threat-protection/auditing/event-4689.md
index 99bee451d9..49ec3f5924 100644
--- a/windows/security/threat-protection/auditing/event-4689.md
+++ b/windows/security/threat-protection/auditing/event-4689.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4689(S): A process has exited.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4690.md b/windows/security/threat-protection/auditing/event-4690.md
index d7a23d1da4..14d2dcb02d 100644
--- a/windows/security/threat-protection/auditing/event-4690.md
+++ b/windows/security/threat-protection/auditing/event-4690.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4690(S): An attempt was made to duplicate a handle to an object.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4691.md b/windows/security/threat-protection/auditing/event-4691.md
index c7ea74bdd7..30a869d7fc 100644
--- a/windows/security/threat-protection/auditing/event-4691.md
+++ b/windows/security/threat-protection/auditing/event-4691.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4691(S): Indirect access to an object was requested.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4692.md b/windows/security/threat-protection/auditing/event-4692.md
index 064c922cb4..7e1e0b5ab9 100644
--- a/windows/security/threat-protection/auditing/event-4692.md
+++ b/windows/security/threat-protection/auditing/event-4692.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4692(S, F): Backup of data protection master key was attempted.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4693.md b/windows/security/threat-protection/auditing/event-4693.md
index 1359ef1968..1bf4eef838 100644
--- a/windows/security/threat-protection/auditing/event-4693.md
+++ b/windows/security/threat-protection/auditing/event-4693.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4693(S, F): Recovery of data protection master key was attempted.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4694.md b/windows/security/threat-protection/auditing/event-4694.md
index 0b35bda1ba..c6e3ca0a8c 100644
--- a/windows/security/threat-protection/auditing/event-4694.md
+++ b/windows/security/threat-protection/auditing/event-4694.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4694(S, F): Protection of auditable protected data was attempted.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
This event generates if [DPAPI](/previous-versions/ms995355(v=msdn.10)) [**CryptProtectData**](/windows/win32/api/dpapi/nf-dpapi-cryptprotectdata)() function was used with **CRYPTPROTECT\_AUDIT** flag (dwFlags) enabled.
diff --git a/windows/security/threat-protection/auditing/event-4695.md b/windows/security/threat-protection/auditing/event-4695.md
index 9acd287be1..55d37910f6 100644
--- a/windows/security/threat-protection/auditing/event-4695.md
+++ b/windows/security/threat-protection/auditing/event-4695.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4695(S, F): Unprotection of auditable protected data was attempted.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
This event generates if [DPAPI](/previous-versions/ms995355(v=msdn.10)) [CryptUnprotectData](/windows/win32/api/dpapi/nf-dpapi-cryptunprotectdata)() function was used to unprotect “auditable” data that was encrypted using [**CryptProtectData**](/windows/win32/api/dpapi/nf-dpapi-cryptprotectdata)() function with **CRYPTPROTECT\_AUDIT** flag (dwFlags) enabled.
diff --git a/windows/security/threat-protection/auditing/event-4696.md b/windows/security/threat-protection/auditing/event-4696.md
index f156dc723b..c426f2bd9e 100644
--- a/windows/security/threat-protection/auditing/event-4696.md
+++ b/windows/security/threat-protection/auditing/event-4696.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4696(S): A primary token was assigned to process.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4697.md b/windows/security/threat-protection/auditing/event-4697.md
index 870352146b..4c6103a175 100644
--- a/windows/security/threat-protection/auditing/event-4697.md
+++ b/windows/security/threat-protection/auditing/event-4697.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4697(S): A service was installed in the system.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4698.md b/windows/security/threat-protection/auditing/event-4698.md
index 9ca662fa59..e3f0385c69 100644
--- a/windows/security/threat-protection/auditing/event-4698.md
+++ b/windows/security/threat-protection/auditing/event-4698.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4698(S): A scheduled task was created.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4699.md b/windows/security/threat-protection/auditing/event-4699.md
index dd814dd942..b48820c643 100644
--- a/windows/security/threat-protection/auditing/event-4699.md
+++ b/windows/security/threat-protection/auditing/event-4699.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4699(S): A scheduled task was deleted.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4700.md b/windows/security/threat-protection/auditing/event-4700.md
index e72f7d19f0..6c44dbfa8d 100644
--- a/windows/security/threat-protection/auditing/event-4700.md
+++ b/windows/security/threat-protection/auditing/event-4700.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4700(S): A scheduled task was enabled.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4701.md b/windows/security/threat-protection/auditing/event-4701.md
index e407e2bbbb..0fa78f8923 100644
--- a/windows/security/threat-protection/auditing/event-4701.md
+++ b/windows/security/threat-protection/auditing/event-4701.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4701(S): A scheduled task was disabled.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4702.md b/windows/security/threat-protection/auditing/event-4702.md
index 15d128ceef..2ae3e2b5e3 100644
--- a/windows/security/threat-protection/auditing/event-4702.md
+++ b/windows/security/threat-protection/auditing/event-4702.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4702(S): A scheduled task was updated.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4703.md b/windows/security/threat-protection/auditing/event-4703.md
index e8b7ecded9..a2d0ea1520 100644
--- a/windows/security/threat-protection/auditing/event-4703.md
+++ b/windows/security/threat-protection/auditing/event-4703.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4703(S): A user right was adjusted.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4704.md b/windows/security/threat-protection/auditing/event-4704.md
index cb6b95669b..04357bb664 100644
--- a/windows/security/threat-protection/auditing/event-4704.md
+++ b/windows/security/threat-protection/auditing/event-4704.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4704(S): A user right was assigned.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4705.md b/windows/security/threat-protection/auditing/event-4705.md
index 5588e33560..0da39782ac 100644
--- a/windows/security/threat-protection/auditing/event-4705.md
+++ b/windows/security/threat-protection/auditing/event-4705.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4705(S): A user right was removed.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4706.md b/windows/security/threat-protection/auditing/event-4706.md
index e0abbded89..5bceee43f2 100644
--- a/windows/security/threat-protection/auditing/event-4706.md
+++ b/windows/security/threat-protection/auditing/event-4706.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4706(S): A new trust was created to a domain.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4707.md b/windows/security/threat-protection/auditing/event-4707.md
index f16f66bdcd..66c5a3a235 100644
--- a/windows/security/threat-protection/auditing/event-4707.md
+++ b/windows/security/threat-protection/auditing/event-4707.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4707(S): A trust to a domain was removed.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4713.md b/windows/security/threat-protection/auditing/event-4713.md
index 032446b19b..1fc0eda8ae 100644
--- a/windows/security/threat-protection/auditing/event-4713.md
+++ b/windows/security/threat-protection/auditing/event-4713.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4713(S): Kerberos policy was changed.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4714.md b/windows/security/threat-protection/auditing/event-4714.md
index d7c176a754..c95647f342 100644
--- a/windows/security/threat-protection/auditing/event-4714.md
+++ b/windows/security/threat-protection/auditing/event-4714.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4714(S): Encrypted data recovery policy was changed.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4715.md b/windows/security/threat-protection/auditing/event-4715.md
index d4e9d14839..54836c643a 100644
--- a/windows/security/threat-protection/auditing/event-4715.md
+++ b/windows/security/threat-protection/auditing/event-4715.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4715(S): The audit policy (SACL) on an object was changed.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4716.md b/windows/security/threat-protection/auditing/event-4716.md
index 1cd47c82c4..3b035321b0 100644
--- a/windows/security/threat-protection/auditing/event-4716.md
+++ b/windows/security/threat-protection/auditing/event-4716.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/04/2019
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4716(S): Trusted domain information was modified.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4717.md b/windows/security/threat-protection/auditing/event-4717.md
index bd3378f122..0d79674053 100644
--- a/windows/security/threat-protection/auditing/event-4717.md
+++ b/windows/security/threat-protection/auditing/event-4717.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4717(S): System security access was granted to an account.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4718.md b/windows/security/threat-protection/auditing/event-4718.md
index 4c8c676ce4..22f9f3a64a 100644
--- a/windows/security/threat-protection/auditing/event-4718.md
+++ b/windows/security/threat-protection/auditing/event-4718.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4718(S): System security access was removed from an account.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4719.md b/windows/security/threat-protection/auditing/event-4719.md
index 98469b6945..dc67d391cf 100644
--- a/windows/security/threat-protection/auditing/event-4719.md
+++ b/windows/security/threat-protection/auditing/event-4719.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4719(S): System audit policy was changed.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4720.md b/windows/security/threat-protection/auditing/event-4720.md
index 1569aebb53..1500cd23c9 100644
--- a/windows/security/threat-protection/auditing/event-4720.md
+++ b/windows/security/threat-protection/auditing/event-4720.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4720(S): A user account was created.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4722.md b/windows/security/threat-protection/auditing/event-4722.md
index e156a9bedf..6b10efb7c8 100644
--- a/windows/security/threat-protection/auditing/event-4722.md
+++ b/windows/security/threat-protection/auditing/event-4722.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4722(S): A user account was enabled.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4723.md b/windows/security/threat-protection/auditing/event-4723.md
index 8a2eb1aa9b..2208f2ae0e 100644
--- a/windows/security/threat-protection/auditing/event-4723.md
+++ b/windows/security/threat-protection/auditing/event-4723.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4723(S, F): An attempt was made to change an account's password.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4724.md b/windows/security/threat-protection/auditing/event-4724.md
index f360a13828..104704dc32 100644
--- a/windows/security/threat-protection/auditing/event-4724.md
+++ b/windows/security/threat-protection/auditing/event-4724.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4724(S, F): An attempt was made to reset an account's password.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4725.md b/windows/security/threat-protection/auditing/event-4725.md
index 5be795b261..0b6ed0593a 100644
--- a/windows/security/threat-protection/auditing/event-4725.md
+++ b/windows/security/threat-protection/auditing/event-4725.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4725(S): A user account was disabled.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4726.md b/windows/security/threat-protection/auditing/event-4726.md
index f8f7ffba8c..03f7cab6c8 100644
--- a/windows/security/threat-protection/auditing/event-4726.md
+++ b/windows/security/threat-protection/auditing/event-4726.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4726(S): A user account was deleted.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4731.md b/windows/security/threat-protection/auditing/event-4731.md
index 78d8e0e0c8..ecbe498b31 100644
--- a/windows/security/threat-protection/auditing/event-4731.md
+++ b/windows/security/threat-protection/auditing/event-4731.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4731(S): A security-enabled local group was created.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4732.md b/windows/security/threat-protection/auditing/event-4732.md
index 2619367fa3..b837e2da3a 100644
--- a/windows/security/threat-protection/auditing/event-4732.md
+++ b/windows/security/threat-protection/auditing/event-4732.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4732(S): A member was added to a security-enabled local group.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4733.md b/windows/security/threat-protection/auditing/event-4733.md
index 219ebdc036..1ff01f46dd 100644
--- a/windows/security/threat-protection/auditing/event-4733.md
+++ b/windows/security/threat-protection/auditing/event-4733.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4733(S): A member was removed from a security-enabled local group.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4734.md b/windows/security/threat-protection/auditing/event-4734.md
index df33b3726f..7fc762a800 100644
--- a/windows/security/threat-protection/auditing/event-4734.md
+++ b/windows/security/threat-protection/auditing/event-4734.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4734(S): A security-enabled local group was deleted.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4735.md b/windows/security/threat-protection/auditing/event-4735.md
index 14d1e6df28..ebd05f8b62 100644
--- a/windows/security/threat-protection/auditing/event-4735.md
+++ b/windows/security/threat-protection/auditing/event-4735.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4735(S): A security-enabled local group was changed.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4738.md b/windows/security/threat-protection/auditing/event-4738.md
index f62d7e4ba8..1beea8a564 100644
--- a/windows/security/threat-protection/auditing/event-4738.md
+++ b/windows/security/threat-protection/auditing/event-4738.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4738(S): A user account was changed.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4739.md b/windows/security/threat-protection/auditing/event-4739.md
index e3268f4c69..d8417cef87 100644
--- a/windows/security/threat-protection/auditing/event-4739.md
+++ b/windows/security/threat-protection/auditing/event-4739.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4739(S): Domain Policy was changed.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4740.md b/windows/security/threat-protection/auditing/event-4740.md
index db7139e935..095b90641e 100644
--- a/windows/security/threat-protection/auditing/event-4740.md
+++ b/windows/security/threat-protection/auditing/event-4740.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4740(S): A user account was locked out.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4741.md b/windows/security/threat-protection/auditing/event-4741.md
index 6c83f23d1e..c09ba86137 100644
--- a/windows/security/threat-protection/auditing/event-4741.md
+++ b/windows/security/threat-protection/auditing/event-4741.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4741(S): A computer account was created.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4742.md b/windows/security/threat-protection/auditing/event-4742.md
index 5d0cda5110..b838e77a00 100644
--- a/windows/security/threat-protection/auditing/event-4742.md
+++ b/windows/security/threat-protection/auditing/event-4742.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4742(S): A computer account was changed.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4743.md b/windows/security/threat-protection/auditing/event-4743.md
index 3402a5e1d7..064855d936 100644
--- a/windows/security/threat-protection/auditing/event-4743.md
+++ b/windows/security/threat-protection/auditing/event-4743.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4743(S): A computer account was deleted.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4749.md b/windows/security/threat-protection/auditing/event-4749.md
index 478ae9e021..e1990c4f1e 100644
--- a/windows/security/threat-protection/auditing/event-4749.md
+++ b/windows/security/threat-protection/auditing/event-4749.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4749(S): A security-disabled global group was created.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4750.md b/windows/security/threat-protection/auditing/event-4750.md
index 1a8a03f92a..9ebd361c00 100644
--- a/windows/security/threat-protection/auditing/event-4750.md
+++ b/windows/security/threat-protection/auditing/event-4750.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4750(S): A security-disabled global group was changed.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4751.md b/windows/security/threat-protection/auditing/event-4751.md
index cc06f2ae5d..c187c0da6a 100644
--- a/windows/security/threat-protection/auditing/event-4751.md
+++ b/windows/security/threat-protection/auditing/event-4751.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4751(S): A member was added to a security-disabled global group.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4752.md b/windows/security/threat-protection/auditing/event-4752.md
index ef79c01bca..642eb6b948 100644
--- a/windows/security/threat-protection/auditing/event-4752.md
+++ b/windows/security/threat-protection/auditing/event-4752.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4752(S): A member was removed from a security-disabled global group.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4753.md b/windows/security/threat-protection/auditing/event-4753.md
index 45b9de0d33..cf4ada677c 100644
--- a/windows/security/threat-protection/auditing/event-4753.md
+++ b/windows/security/threat-protection/auditing/event-4753.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4753(S): A security-disabled global group was deleted.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4764.md b/windows/security/threat-protection/auditing/event-4764.md
index 3b50ba9bf1..073049f2bf 100644
--- a/windows/security/threat-protection/auditing/event-4764.md
+++ b/windows/security/threat-protection/auditing/event-4764.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,9 +16,6 @@ ms.technology: mde
# 4764(S): A group’s type was changed.
-**Applies to**
-- Windows 10
-- Windows Server 2016
diff --git a/windows/security/threat-protection/auditing/event-4765.md b/windows/security/threat-protection/auditing/event-4765.md
index ff685d9081..472f9a92d0 100644
--- a/windows/security/threat-protection/auditing/event-4765.md
+++ b/windows/security/threat-protection/auditing/event-4765.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4765(S): SID History was added to an account.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
This event generates when [SID History](/windows/win32/adschema/a-sidhistory) was added to an account.
diff --git a/windows/security/threat-protection/auditing/event-4766.md b/windows/security/threat-protection/auditing/event-4766.md
index 7593423b22..bf5820689e 100644
--- a/windows/security/threat-protection/auditing/event-4766.md
+++ b/windows/security/threat-protection/auditing/event-4766.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4766(F): An attempt to add SID History to an account failed.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
This event generates when an attempt to add [SID History](/windows/win32/adschema/a-sidhistory) to an account failed.
diff --git a/windows/security/threat-protection/auditing/event-4767.md b/windows/security/threat-protection/auditing/event-4767.md
index cf7b13e4f0..4b580f7dc0 100644
--- a/windows/security/threat-protection/auditing/event-4767.md
+++ b/windows/security/threat-protection/auditing/event-4767.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4767(S): A user account was unlocked.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4768.md b/windows/security/threat-protection/auditing/event-4768.md
index fb7930f6d2..9509c1486b 100644
--- a/windows/security/threat-protection/auditing/event-4768.md
+++ b/windows/security/threat-protection/auditing/event-4768.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,12 +16,8 @@ ms.technology: mde
# 4768(S, F): A Kerberos authentication ticket (TGT) was requested.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
-
+:::image type="content" alt-text="Event 4768 illustration." source="images/event-4768.png":::
***Subcategory:*** [Audit Kerberos Authentication Service](audit-kerberos-authentication-service.md)
@@ -35,12 +31,13 @@ If TGT issue fails then you will see Failure event with **Result Code** field no
This event doesn't generate for **Result Codes**: 0x10, 0x17 and 0x18. Event “[4771](event-4771.md): Kerberos pre-authentication failed.” generates instead.
-> **Note** For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
+> [!NOTE]
+> For recommendations, see [Security Monitoring Recommendations](#security-monitoring-recommendations) for this event.
***Event XML:***
-```
+```xml
- 
+> [!NOTE]
+> In the table below **“MSB 0”** bit numbering is used, because RFC documents use this style. In “MSB 0” style bit numbering begins from left.
+>
+>
The most common values:
@@ -185,9 +187,10 @@ The most common values:
| 30 | Renew | The RENEW option indicates that the present request is for a renewal. The ticket provided is encrypted in the secret key for the server on which it is valid. This option will only be honored if the ticket to be renewed has its RENEWABLE flag set and if the time in it’s renew-till field has not passed. The ticket to be renewed is passed in the padata field as part of the authentication header. |
| 31 | Validate | This option is used only by the ticket-granting service. The VALIDATE option indicates that the request is to validate a postdated ticket. Should not be in use, because postdated tickets are not supported by KILE. |
-> Table 2. Kerberos ticket flags.
->
-> **Note** [KILE](/openspecs/windows_protocols/ms-kile/2a32282e-dd48-4ad9-a542-609804b02cc9) **(Microsoft Kerberos Protocol Extension)** – Kerberos protocol extensions used in Microsoft operating systems. These extensions provide additional capability for authorization information including group memberships, interactive logon information, and integrity levels.
+## Table 2. Kerberos ticket flags
+
+> [!NOTE]
+> [KILE](/openspecs/windows_protocols/ms-kile/2a32282e-dd48-4ad9-a542-609804b02cc9) **(Microsoft Kerberos Protocol Extension)** – Kerberos protocol extensions used in Microsoft operating systems. These extensions provide additional capability for authorization information including group memberships, interactive logon information, and integrity levels.
- **Result Code** \[Type = HexInt32\]**:** hexadecimal result code of TGT issue operation. The “Table 3. TGT/TGS issue error codes.” contains the list of the most common error codes for this event.
@@ -252,12 +255,15 @@ The most common values:
| 0x43 | KRB\_AP\_ERR\_NO\_TGT | No TGT was presented or available | In user-to-user authentication if the service does not possess a ticket granting ticket, it should return the error KRB\_AP\_ERR\_NO\_TGT. |
| 0x44 | KDC\_ERR\_WRONG\_REALM | Incorrect domain or principal | Although this error rarely occurs, it occurs when a client presents a cross-realm TGT to a realm other than the one specified in the TGT. Typically, this results from incorrectly configured DNS. |
-> Table 3. TGT/TGS issue error codes.
+
+
+## Table 3. TGT/TGS issue error codes
- **Ticket Encryption Type** \[Type = HexInt32\]: the cryptographic suite that was used for issued TGT.
+
## Table 4. Kerberos encryption types
| Type | Type Name | Description |
@@ -274,7 +280,8 @@ The most common values:
- **Pre-Authentication Type** \[Type = UnicodeString\]: the code number of [pre-Authentication](/previous-versions/windows/it-pro/windows-server-2003/cc772815(v=ws.10)) type which was used in TGT request.
-## Table 5. Kerberos Pre-Authentication types.
+
+## Table 5. Kerberos Pre-Authentication types
| Type | Type Name | Description |
|------------------------------------------------------------------------|------------------------|------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
@@ -301,7 +308,7 @@ The most common values:
For 4768(S, F): A Kerberos authentication ticket (TGT) was requested.
-| **Type of monitoring required** | **Recommendation** |
+| Type of monitoring required | Recommendation |
|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|----------------------------------------------------------------------------------------------------------------------------------------------------------------|
| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.
Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“User ID”** that corresponds to the high-value account or accounts. |
| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“User ID”** (with other information) to monitor how or when a particular account is being used. |
@@ -310,7 +317,7 @@ For 4768(S, F): A Kerberos authentication ticket (TGT) was requested.
| **External accounts**: You might be monitoring accounts from another domain, or “external” accounts that are not allowed to perform certain actions (represented by certain specific events). | Monitor this event for the **“Supplied Realm Name”** corresponding to another domain or “external” location. |
| **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor “**User ID”** for names that don’t comply with naming conventions. |
-- You can track all [4768](event-4768.md) events where the **Client Address** is not from your internal IP range or not from private IP ranges.
+- You can track all [4768](event-4768.md) events where the **Client Address** is not from your internal IP address range or not from private IP address ranges.
- If you know that **Account Name** should be used only from known list of IP addresses, track all **Client Address** values for this **Account Name** in [4768](event-4768.md) events. If **Client Address** is not from the allowlist, generate the alert.
@@ -320,9 +327,9 @@ For 4768(S, F): A Kerberos authentication ticket (TGT) was requested.
- Also consider monitoring the fields shown in the following table, to discover the issues listed:
-| **Field** | **Issue to discover** |
+| Field | Issue to discover |
|-----------------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| **Certificate Issuer Name** | Certification authority name is not from your PKI infrastructure. |
+| **Certificate Issuer Name** | Certification authority name is not from your PKI. |
| **Certificate Issuer Name** | Certification authority name is not authorized to issue smart card authentication certificates. |
| **Pre-Authentication Type** | Value is **0**, which means that pre-authentication was not used. All accounts should use Pre-Authentication, except accounts configured with “Do not require Kerberos preauthentication,” which is a security risk. For more information, see [Table 5. Kerberos Pre-Authentication types](#kerberos-preauthentication-types). |
| **Pre-Authentication Type** | Value is **not 15** when account must use a smart card for authentication. For more information, see [Table 5. Kerberos Pre-Authentication types](#kerberos-preauthentication-types). |
diff --git a/windows/security/threat-protection/auditing/event-4769.md b/windows/security/threat-protection/auditing/event-4769.md
index 5c460724b8..1790274e2c 100644
--- a/windows/security/threat-protection/auditing/event-4769.md
+++ b/windows/security/threat-protection/auditing/event-4769.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4769(S, F): A Kerberos service ticket was requested.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4770.md b/windows/security/threat-protection/auditing/event-4770.md
index ac38dc82f9..6a1627d7df 100644
--- a/windows/security/threat-protection/auditing/event-4770.md
+++ b/windows/security/threat-protection/auditing/event-4770.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4770(S): A Kerberos service ticket was renewed.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4771.md b/windows/security/threat-protection/auditing/event-4771.md
index c5aea23ecb..9891a617a0 100644
--- a/windows/security/threat-protection/auditing/event-4771.md
+++ b/windows/security/threat-protection/auditing/event-4771.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 07/23/2020
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4771(F): Kerberos pre-authentication failed.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4772.md b/windows/security/threat-protection/auditing/event-4772.md
index 2124b16bb1..c93994b2ed 100644
--- a/windows/security/threat-protection/auditing/event-4772.md
+++ b/windows/security/threat-protection/auditing/event-4772.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4772(F): A Kerberos authentication ticket request failed.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
Currently this event doesn’t generate. It is a defined event, but it is never invoked by the operating system. [4768](event-4768.md) failure event is generated instead.
diff --git a/windows/security/threat-protection/auditing/event-4773.md b/windows/security/threat-protection/auditing/event-4773.md
index ba672478d8..3d4e1fe09b 100644
--- a/windows/security/threat-protection/auditing/event-4773.md
+++ b/windows/security/threat-protection/auditing/event-4773.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4773(F): A Kerberos service ticket request failed.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
Currently this event doesn’t generate. It is a defined event, but it is never invoked by the operating system. [4769](event-4769.md) failure event is generated instead.
diff --git a/windows/security/threat-protection/auditing/event-4774.md b/windows/security/threat-protection/auditing/event-4774.md
index 08eb0fe72f..4c01962461 100644
--- a/windows/security/threat-protection/auditing/event-4774.md
+++ b/windows/security/threat-protection/auditing/event-4774.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,9 +16,6 @@ ms.technology: mde
# 4774(S, F): An account was mapped for logon.
-**Applies to**
-- Windows 10
-- Windows Server 2016
Success events do not appear to occur. Failure event [has been reported](http://forum.ultimatewindowssecurity.com/Topic7313-282-1.aspx).
diff --git a/windows/security/threat-protection/auditing/event-4775.md b/windows/security/threat-protection/auditing/event-4775.md
index cf27ccdf2a..c9e4a319e8 100644
--- a/windows/security/threat-protection/auditing/event-4775.md
+++ b/windows/security/threat-protection/auditing/event-4775.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4775(F): An account could not be mapped for logon.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
It appears that this event never occurs.
diff --git a/windows/security/threat-protection/auditing/event-4776.md b/windows/security/threat-protection/auditing/event-4776.md
index 75dc6a4a69..4fde7cba9b 100644
--- a/windows/security/threat-protection/auditing/event-4776.md
+++ b/windows/security/threat-protection/auditing/event-4776.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/13/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4776(S, F): The computer attempted to validate the credentials for an account.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
@@ -116,7 +112,7 @@ This event does *not* generate when a domain account logs on locally to a domain
| 0xC0000193 | Account logon with expired account. |
| 0xC0000224 | Account logon with "Change Password at Next Logon" flagged. |
| 0xC0000234 | Account logon with account locked. |
-| 0xc0000371 | The local account store does not contain secret material for the specified account. |
+| 0xC0000371 | The local account store does not contain secret material for the specified account. |
| 0x0 | No errors. |
> Table 1. Winlogon Error Codes.
@@ -125,14 +121,14 @@ This event does *not* generate when a domain account logs on locally to a domain
For 4776(S, F): The computer attempted to validate the credentials for an account.
-| **Type of monitoring required** | **Recommendation** |
-|-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------|
-| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.
Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Logon Account”** that corresponds to the high-value account or accounts. |
+| **Type of monitoring required** | **Recommendation** |
+|-----------------|---------|
+| **High-value accounts**: You might have high-value domain or local accounts for which you need to monitor each action.
Examples of high-value accounts are database administrators, built-in local administrator account, domain administrators, service accounts, domain controller accounts and so on. | Monitor this event with the **“Logon Account”** that corresponds to the high-value account or accounts. |
| **Anomalies or malicious actions**: You might have specific requirements for detecting anomalies or monitoring potential malicious actions. For example, you might need to monitor for use of an account outside of working hours. | When you monitor for anomalies or malicious actions, use the **“Logon Account”** value (with other information) to monitor how or when a particular account is being used.
To monitor activity of specific user accounts outside of working hours, monitor the appropriate **Logon Account + Source Workstation** pairs. |
-| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Logon Account”** that should never be used. |
-| **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “allow list-only” action, review the **“Logon Account”** for accounts that are outside the allow list. |
-| **Restricted-use computers**: You might have certain computers from which certain people (accounts) should not log on. | Monitor the target **Source Workstation** for credential validation requests from the **“Logon Account”** that you are concerned about. |
-| **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor “**Logon Account”** for names that don’t comply with naming conventions. |
+| **Non-active accounts**: You might have non-active, disabled, or guest accounts, or other accounts that should never be used. | Monitor this event with the **“Logon Account”** that should never be used. |
+| **Account allow list**: You might have a specific allow list of accounts that are the only ones allowed to perform actions corresponding to particular events. | If this event corresponds to a “allow list-only” action, review the **“Logon Account”** for accounts that are outside the allow list. |
+| **Restricted-use computers**: You might have certain computers from which certain people (accounts) should not log on. | Monitor the target **Source Workstation** for credential validation requests from the **“Logon Account”** that you are concerned about. |
+| **Account naming conventions**: Your organization might have specific naming conventions for account names. | Monitor “**Logon Account”** for names that don’t comply with naming conventions. |
- If NTLM authentication should not be used for a specific account, monitor for that account. Don’t forget that local logon will always use NTLM authentication if an account logs on to a device where its user account is stored.
@@ -142,12 +138,12 @@ For 4776(S, F): The computer attempted to validate the credentials for an accoun
- Consider tracking the following errors for the reasons listed:
-| **Error to track** | **What the error might indicate** |
-|-----------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------------------------------------|
+| **Error to track** | **What the error might indicate** |
+|----------|----------------|
| **User logon with misspelled or bad user account** | For example, N events in the last N minutes can be an indicator of an account enumeration attack, especially relevant for highly critical accounts. |
| **User logon with misspelled or bad password** | For example, N events in the last N minutes can be an indicator of a brute-force password attack, especially relevant for highly critical accounts. |
-| **User logon outside authorized hours** | Can indicate a compromised account; especially relevant for highly critical accounts. |
-| **User logon from unauthorized workstation** | Can indicate a compromised account; especially relevant for highly critical accounts. |
+| **User logon outside authorized hours** | Can indicate a compromised account; especially relevant for highly critical accounts. |
+| **User logon from unauthorized workstation** | Can indicate a compromised account; especially relevant for highly critical accounts. |
| **User logon to account disabled by administrator** | For example, N events in last N minutes can be an indicator of an account compromise attempt, especially relevant for highly critical accounts. |
-| **User logon with expired account** | Can indicate an account compromise attempt; especially relevant for highly critical accounts. |
-| **User logon with account locked** | Can indicate a brute-force password attack; especially relevant for highly critical accounts. |
\ No newline at end of file
+| **User logon with expired account** | Can indicate an account compromise attempt; especially relevant for highly critical accounts. |
+| **User logon with account locked** | Can indicate a brute-force password attack; especially relevant for highly critical accounts. |
diff --git a/windows/security/threat-protection/auditing/event-4777.md b/windows/security/threat-protection/auditing/event-4777.md
index 28a4b42d08..f5b01ce6aa 100644
--- a/windows/security/threat-protection/auditing/event-4777.md
+++ b/windows/security/threat-protection/auditing/event-4777.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4777(F): The domain controller failed to validate the credentials for an account.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
Currently this event doesn’t generate. It is a defined event, but it is never invoked by the operating system. [4776](event-4776.md) failure event is generated instead.
diff --git a/windows/security/threat-protection/auditing/event-4778.md b/windows/security/threat-protection/auditing/event-4778.md
index 8293e41487..f7278c0017 100644
--- a/windows/security/threat-protection/auditing/event-4778.md
+++ b/windows/security/threat-protection/auditing/event-4778.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4778(S): A session was reconnected to a Window Station.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4779.md b/windows/security/threat-protection/auditing/event-4779.md
index 29836498cc..3f34f106e4 100644
--- a/windows/security/threat-protection/auditing/event-4779.md
+++ b/windows/security/threat-protection/auditing/event-4779.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4779(S): A session was disconnected from a Window Station.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4780.md b/windows/security/threat-protection/auditing/event-4780.md
index 00faedae10..94b8733eab 100644
--- a/windows/security/threat-protection/auditing/event-4780.md
+++ b/windows/security/threat-protection/auditing/event-4780.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4780(S): The ACL was set on accounts which are members of administrators groups.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
Every hour, the domain controller that holds the primary domain controller (PDC) Flexible Single Master Operation (FSMO) role compares the ACL on all security principal accounts (users, groups, and machine accounts) present for its domain in Active Directory and that are in administrative or security-sensitive groups and which have AdminCount attribute = 1 against the ACL on the [AdminSDHolder](/previous-versions/technet-magazine/ee361593(v=msdn.10)) object. If the ACL on the principal account differs from the ACL on the AdminSDHolder object, then the ACL on the principal account is reset to match the ACL on the AdminSDHolder object and this event is generated.
diff --git a/windows/security/threat-protection/auditing/event-4781.md b/windows/security/threat-protection/auditing/event-4781.md
index 2adb3bcac5..0e7051d0c0 100644
--- a/windows/security/threat-protection/auditing/event-4781.md
+++ b/windows/security/threat-protection/auditing/event-4781.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4781(S): The name of an account was changed.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4782.md b/windows/security/threat-protection/auditing/event-4782.md
index e0ecc19336..0d7d285e29 100644
--- a/windows/security/threat-protection/auditing/event-4782.md
+++ b/windows/security/threat-protection/auditing/event-4782.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4782(S): The password hash of an account was accessed.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4793.md b/windows/security/threat-protection/auditing/event-4793.md
index 4b75a802d5..d471201647 100644
--- a/windows/security/threat-protection/auditing/event-4793.md
+++ b/windows/security/threat-protection/auditing/event-4793.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4793(S): The Password Policy Checking API was called.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4794.md b/windows/security/threat-protection/auditing/event-4794.md
index 6e585048c1..6901d09cbe 100644
--- a/windows/security/threat-protection/auditing/event-4794.md
+++ b/windows/security/threat-protection/auditing/event-4794.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4794(S, F): An attempt was made to set the Directory Services Restore Mode administrator password.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4798.md b/windows/security/threat-protection/auditing/event-4798.md
index 3fddfd9b65..15a1328384 100644
--- a/windows/security/threat-protection/auditing/event-4798.md
+++ b/windows/security/threat-protection/auditing/event-4798.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4798(S): A user's local group membership was enumerated.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4799.md b/windows/security/threat-protection/auditing/event-4799.md
index 18b337fcdc..92441ae64b 100644
--- a/windows/security/threat-protection/auditing/event-4799.md
+++ b/windows/security/threat-protection/auditing/event-4799.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4799(S): A security-enabled local group membership was enumerated.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4800.md b/windows/security/threat-protection/auditing/event-4800.md
index 92c543f8b0..2e468c9d92 100644
--- a/windows/security/threat-protection/auditing/event-4800.md
+++ b/windows/security/threat-protection/auditing/event-4800.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4800(S): The workstation was locked.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4801.md b/windows/security/threat-protection/auditing/event-4801.md
index ed7c8ec85c..7da15cbbe7 100644
--- a/windows/security/threat-protection/auditing/event-4801.md
+++ b/windows/security/threat-protection/auditing/event-4801.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4801(S): The workstation was unlocked.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4802.md b/windows/security/threat-protection/auditing/event-4802.md
index 9f5fa2b8e3..7ea6add001 100644
--- a/windows/security/threat-protection/auditing/event-4802.md
+++ b/windows/security/threat-protection/auditing/event-4802.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4802(S): The screen saver was invoked.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4803.md b/windows/security/threat-protection/auditing/event-4803.md
index 20304e4527..4971789fd3 100644
--- a/windows/security/threat-protection/auditing/event-4803.md
+++ b/windows/security/threat-protection/auditing/event-4803.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4803(S): The screen saver was dismissed.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4816.md b/windows/security/threat-protection/auditing/event-4816.md
index 9e36c52bb1..a2c127435d 100644
--- a/windows/security/threat-protection/auditing/event-4816.md
+++ b/windows/security/threat-protection/auditing/event-4816.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4816(S): RPC detected an integrity violation while decrypting an incoming message.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
This message generates if RPC detected an integrity violation while decrypting an incoming message.
diff --git a/windows/security/threat-protection/auditing/event-4817.md b/windows/security/threat-protection/auditing/event-4817.md
index 0b0fc16bf7..3744b68704 100644
--- a/windows/security/threat-protection/auditing/event-4817.md
+++ b/windows/security/threat-protection/auditing/event-4817.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4817(S): Auditing settings on object were changed.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4818.md b/windows/security/threat-protection/auditing/event-4818.md
index 05266e39e5..c71a145e05 100644
--- a/windows/security/threat-protection/auditing/event-4818.md
+++ b/windows/security/threat-protection/auditing/event-4818.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4818(S): Proposed Central Access Policy does not grant the same access permissions as the current Central Access Policy.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4819.md b/windows/security/threat-protection/auditing/event-4819.md
index 3751b39e45..f3acc685b2 100644
--- a/windows/security/threat-protection/auditing/event-4819.md
+++ b/windows/security/threat-protection/auditing/event-4819.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4819(S): Central Access Policies on the machine have been changed.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4826.md b/windows/security/threat-protection/auditing/event-4826.md
index 2e78b4c653..27f8cbeb41 100644
--- a/windows/security/threat-protection/auditing/event-4826.md
+++ b/windows/security/threat-protection/auditing/event-4826.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4826(S): Boot Configuration Data loaded.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4864.md b/windows/security/threat-protection/auditing/event-4864.md
index ca1995291e..aec977eddd 100644
--- a/windows/security/threat-protection/auditing/event-4864.md
+++ b/windows/security/threat-protection/auditing/event-4864.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4864(S): A namespace collision was detected.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
This event is generated when a namespace collision was detected.
diff --git a/windows/security/threat-protection/auditing/event-4865.md b/windows/security/threat-protection/auditing/event-4865.md
index 063eb88afc..994d2407a3 100644
--- a/windows/security/threat-protection/auditing/event-4865.md
+++ b/windows/security/threat-protection/auditing/event-4865.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4865(S): A trusted forest information entry was added.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4866.md b/windows/security/threat-protection/auditing/event-4866.md
index 922d662887..ad75bb1d68 100644
--- a/windows/security/threat-protection/auditing/event-4866.md
+++ b/windows/security/threat-protection/auditing/event-4866.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4866(S): A trusted forest information entry was removed.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4867.md b/windows/security/threat-protection/auditing/event-4867.md
index a8fdb4a693..e82918ba71 100644
--- a/windows/security/threat-protection/auditing/event-4867.md
+++ b/windows/security/threat-protection/auditing/event-4867.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4867(S): A trusted forest information entry was modified.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4902.md b/windows/security/threat-protection/auditing/event-4902.md
index d5a7640b84..67d2817434 100644
--- a/windows/security/threat-protection/auditing/event-4902.md
+++ b/windows/security/threat-protection/auditing/event-4902.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4902(S): The Per-user audit policy table was created.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4904.md b/windows/security/threat-protection/auditing/event-4904.md
index 268606eab6..0a72ca6e45 100644
--- a/windows/security/threat-protection/auditing/event-4904.md
+++ b/windows/security/threat-protection/auditing/event-4904.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/07/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4904(S): An attempt was made to register a security event source.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4905.md b/windows/security/threat-protection/auditing/event-4905.md
index 65338f9f64..2bc2194af3 100644
--- a/windows/security/threat-protection/auditing/event-4905.md
+++ b/windows/security/threat-protection/auditing/event-4905.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4905(S): An attempt was made to unregister a security event source.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4906.md b/windows/security/threat-protection/auditing/event-4906.md
index 49269c1eb3..5f8556c594 100644
--- a/windows/security/threat-protection/auditing/event-4906.md
+++ b/windows/security/threat-protection/auditing/event-4906.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4906(S): The CrashOnAuditFail value has changed.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4907.md b/windows/security/threat-protection/auditing/event-4907.md
index e8f78c11b1..54960760dd 100644
--- a/windows/security/threat-protection/auditing/event-4907.md
+++ b/windows/security/threat-protection/auditing/event-4907.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4907(S): Auditing settings on object were changed.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4908.md b/windows/security/threat-protection/auditing/event-4908.md
index 3a12a949e0..4b00b7dc48 100644
--- a/windows/security/threat-protection/auditing/event-4908.md
+++ b/windows/security/threat-protection/auditing/event-4908.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4908(S): Special Groups Logon table modified.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4909.md b/windows/security/threat-protection/auditing/event-4909.md
index 9c3b067418..77f5ddd123 100644
--- a/windows/security/threat-protection/auditing/event-4909.md
+++ b/windows/security/threat-protection/auditing/event-4909.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4909(-): The local policy settings for the TBS were changed.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
Currently this event doesn’t generate. It is a defined event, but it is never invoked by the operating system.
diff --git a/windows/security/threat-protection/auditing/event-4910.md b/windows/security/threat-protection/auditing/event-4910.md
index 948c3a6dab..0c3e27cbcd 100644
--- a/windows/security/threat-protection/auditing/event-4910.md
+++ b/windows/security/threat-protection/auditing/event-4910.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4910(-): The group policy settings for the TBS were changed.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
Currently this event doesn’t generate. It is a defined event, but it is never invoked by the operating system.
diff --git a/windows/security/threat-protection/auditing/event-4911.md b/windows/security/threat-protection/auditing/event-4911.md
index cf47c889e0..34506e27c7 100644
--- a/windows/security/threat-protection/auditing/event-4911.md
+++ b/windows/security/threat-protection/auditing/event-4911.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4911(S): Resource attributes of the object were changed.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4912.md b/windows/security/threat-protection/auditing/event-4912.md
index e4bc6d9d43..cd13c3c6ed 100644
--- a/windows/security/threat-protection/auditing/event-4912.md
+++ b/windows/security/threat-protection/auditing/event-4912.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4912(S): Per User Audit Policy was changed.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4913.md b/windows/security/threat-protection/auditing/event-4913.md
index 51ff7291cb..88f5b9912c 100644
--- a/windows/security/threat-protection/auditing/event-4913.md
+++ b/windows/security/threat-protection/auditing/event-4913.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4913(S): Central Access Policy on the object was changed.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4928.md b/windows/security/threat-protection/auditing/event-4928.md
index 166bc42cf3..c771de77c7 100644
--- a/windows/security/threat-protection/auditing/event-4928.md
+++ b/windows/security/threat-protection/auditing/event-4928.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4928(S, F): An Active Directory replica source naming context was established.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4929.md b/windows/security/threat-protection/auditing/event-4929.md
index ab04f9ab17..8befaf8042 100644
--- a/windows/security/threat-protection/auditing/event-4929.md
+++ b/windows/security/threat-protection/auditing/event-4929.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4929(S, F): An Active Directory replica source naming context was removed.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4930.md b/windows/security/threat-protection/auditing/event-4930.md
index 3897b1bd01..9b7133cbec 100644
--- a/windows/security/threat-protection/auditing/event-4930.md
+++ b/windows/security/threat-protection/auditing/event-4930.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4930(S, F): An Active Directory replica source naming context was modified.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4931.md b/windows/security/threat-protection/auditing/event-4931.md
index dfb00ceb91..9be2c0b308 100644
--- a/windows/security/threat-protection/auditing/event-4931.md
+++ b/windows/security/threat-protection/auditing/event-4931.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4931(S, F): An Active Directory replica destination naming context was modified.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4932.md b/windows/security/threat-protection/auditing/event-4932.md
index 13f42ce386..2fe1488145 100644
--- a/windows/security/threat-protection/auditing/event-4932.md
+++ b/windows/security/threat-protection/auditing/event-4932.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4932(S): Synchronization of a replica of an Active Directory naming context has begun.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4933.md b/windows/security/threat-protection/auditing/event-4933.md
index b4f0784a45..763c17876e 100644
--- a/windows/security/threat-protection/auditing/event-4933.md
+++ b/windows/security/threat-protection/auditing/event-4933.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4933(S, F): Synchronization of a replica of an Active Directory naming context has ended.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4934.md b/windows/security/threat-protection/auditing/event-4934.md
index ffc4b9b4a3..edfe9bb645 100644
--- a/windows/security/threat-protection/auditing/event-4934.md
+++ b/windows/security/threat-protection/auditing/event-4934.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4934(S): Attributes of an Active Directory object were replicated.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
This event generates when attributes of an Active Directory object were replicated.
diff --git a/windows/security/threat-protection/auditing/event-4935.md b/windows/security/threat-protection/auditing/event-4935.md
index f2910784e6..6473cffbe6 100644
--- a/windows/security/threat-protection/auditing/event-4935.md
+++ b/windows/security/threat-protection/auditing/event-4935.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4935(F): Replication failure begins.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4936.md b/windows/security/threat-protection/auditing/event-4936.md
index 3f808bf11d..e87cf4d53e 100644
--- a/windows/security/threat-protection/auditing/event-4936.md
+++ b/windows/security/threat-protection/auditing/event-4936.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4936(S): Replication failure ends.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
This event generates when Active Directory replication failure ends.
diff --git a/windows/security/threat-protection/auditing/event-4937.md b/windows/security/threat-protection/auditing/event-4937.md
index 2775be1c5d..6c1f85f0a7 100644
--- a/windows/security/threat-protection/auditing/event-4937.md
+++ b/windows/security/threat-protection/auditing/event-4937.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4937(S): A lingering object was removed from a replica.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
This event generates when a [lingering object](https://support.microsoft.com/kb/910205) was removed from a replica.
diff --git a/windows/security/threat-protection/auditing/event-4944.md b/windows/security/threat-protection/auditing/event-4944.md
index 3821d18e1b..046a35e163 100644
--- a/windows/security/threat-protection/auditing/event-4944.md
+++ b/windows/security/threat-protection/auditing/event-4944.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4944(S): The following policy was active when the Windows Firewall started.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4945.md b/windows/security/threat-protection/auditing/event-4945.md
index da8105bffc..c76d313b14 100644
--- a/windows/security/threat-protection/auditing/event-4945.md
+++ b/windows/security/threat-protection/auditing/event-4945.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4945(S): A rule was listed when the Windows Firewall started.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4946.md b/windows/security/threat-protection/auditing/event-4946.md
index 30ae25fd28..4279a425ff 100644
--- a/windows/security/threat-protection/auditing/event-4946.md
+++ b/windows/security/threat-protection/auditing/event-4946.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4946(S): A change has been made to Windows Firewall exception list. A rule was added.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4947.md b/windows/security/threat-protection/auditing/event-4947.md
index b38eef6371..48613fd427 100644
--- a/windows/security/threat-protection/auditing/event-4947.md
+++ b/windows/security/threat-protection/auditing/event-4947.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4947(S): A change has been made to Windows Firewall exception list. A rule was modified.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4948.md b/windows/security/threat-protection/auditing/event-4948.md
index 5f92a37c6a..6d0290f772 100644
--- a/windows/security/threat-protection/auditing/event-4948.md
+++ b/windows/security/threat-protection/auditing/event-4948.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4948(S): A change has been made to Windows Firewall exception list. A rule was deleted.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4949.md b/windows/security/threat-protection/auditing/event-4949.md
index e304844bc8..50b400ce2d 100644
--- a/windows/security/threat-protection/auditing/event-4949.md
+++ b/windows/security/threat-protection/auditing/event-4949.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4949(S): Windows Firewall settings were restored to the default values.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4950.md b/windows/security/threat-protection/auditing/event-4950.md
index 54ead99c65..90fdd4b72d 100644
--- a/windows/security/threat-protection/auditing/event-4950.md
+++ b/windows/security/threat-protection/auditing/event-4950.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4950(S): A Windows Firewall setting has changed.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4951.md b/windows/security/threat-protection/auditing/event-4951.md
index 4a2c32b9e2..65357fc8cf 100644
--- a/windows/security/threat-protection/auditing/event-4951.md
+++ b/windows/security/threat-protection/auditing/event-4951.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4951(F): A rule has been ignored because its major version number was not recognized by Windows Firewall.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4952.md b/windows/security/threat-protection/auditing/event-4952.md
index 150a0ac97d..abd1012a90 100644
--- a/windows/security/threat-protection/auditing/event-4952.md
+++ b/windows/security/threat-protection/auditing/event-4952.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4952(F): Parts of a rule have been ignored because its minor version number was not recognized by Windows Firewall. The other parts of the rule will be enforced.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
When you create or edit a Windows Firewall rule, the settings that you can include depend upon the version of Windows you use when creating the rule. As new settings are added to later versions of Windows or to service packs for existing versions of Windows, the version number of the rules processing engine is updated, and that version number is stamped into rules that are created by using that version of Windows. For example, Windows Vista produces firewall rules that are stamped with version "v2.0". Future versions of Windows might use "v2.1", or "v3.0" to indicate, respectively, minor or major changes and additions.
diff --git a/windows/security/threat-protection/auditing/event-4953.md b/windows/security/threat-protection/auditing/event-4953.md
index 38d9aa6a3d..d35205d2e8 100644
--- a/windows/security/threat-protection/auditing/event-4953.md
+++ b/windows/security/threat-protection/auditing/event-4953.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4953(F): Windows Firewall ignored a rule because it could not be parsed.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4954.md b/windows/security/threat-protection/auditing/event-4954.md
index 99bb6457e2..f671cef1ef 100644
--- a/windows/security/threat-protection/auditing/event-4954.md
+++ b/windows/security/threat-protection/auditing/event-4954.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4954(S): Windows Firewall Group Policy settings have changed. The new settings have been applied.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4956.md b/windows/security/threat-protection/auditing/event-4956.md
index 34d36fa5d0..c56a466f9f 100644
--- a/windows/security/threat-protection/auditing/event-4956.md
+++ b/windows/security/threat-protection/auditing/event-4956.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4956(S): Windows Firewall has changed the active profile.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4957.md b/windows/security/threat-protection/auditing/event-4957.md
index 8b822ee84c..a34de9e92f 100644
--- a/windows/security/threat-protection/auditing/event-4957.md
+++ b/windows/security/threat-protection/auditing/event-4957.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4957(F): Windows Firewall did not apply the following rule.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4958.md b/windows/security/threat-protection/auditing/event-4958.md
index 05922fd7a7..7bb37f579a 100644
--- a/windows/security/threat-protection/auditing/event-4958.md
+++ b/windows/security/threat-protection/auditing/event-4958.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4958(F): Windows Firewall did not apply the following rule because the rule referred to items not configured on this computer.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
Windows Firewall with Advanced Security processed a rule that contains parameters that cannot be resolved on the local computer. The rule is therefore not enforceable on the computer and so is excluded from the runtime state of the firewall. This is not necessarily an error. Examine the rule for applicability on the computers to which it was applied.
diff --git a/windows/security/threat-protection/auditing/event-4964.md b/windows/security/threat-protection/auditing/event-4964.md
index 0ee97ac194..b83f63788a 100644
--- a/windows/security/threat-protection/auditing/event-4964.md
+++ b/windows/security/threat-protection/auditing/event-4964.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4964(S): Special groups have been assigned to a new logon.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-4985.md b/windows/security/threat-protection/auditing/event-4985.md
index c57db1916e..ee97d237fc 100644
--- a/windows/security/threat-protection/auditing/event-4985.md
+++ b/windows/security/threat-protection/auditing/event-4985.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 4985(S): The state of a transaction has changed.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-5024.md b/windows/security/threat-protection/auditing/event-5024.md
index b24cd95e31..6f42905b26 100644
--- a/windows/security/threat-protection/auditing/event-5024.md
+++ b/windows/security/threat-protection/auditing/event-5024.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 5024(S): The Windows Firewall Service has started successfully.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-5025.md b/windows/security/threat-protection/auditing/event-5025.md
index a9a3c5e14b..51c4600f15 100644
--- a/windows/security/threat-protection/auditing/event-5025.md
+++ b/windows/security/threat-protection/auditing/event-5025.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 5025(S): The Windows Firewall Service has been stopped.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-5027.md b/windows/security/threat-protection/auditing/event-5027.md
index 4ea2177c6b..85afaa1f92 100644
--- a/windows/security/threat-protection/auditing/event-5027.md
+++ b/windows/security/threat-protection/auditing/event-5027.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 5027(F): The Windows Firewall Service was unable to retrieve the security policy from the local storage. The service will continue enforcing the current policy.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-5028.md b/windows/security/threat-protection/auditing/event-5028.md
index 9ab51ca985..8835c0a855 100644
--- a/windows/security/threat-protection/auditing/event-5028.md
+++ b/windows/security/threat-protection/auditing/event-5028.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 5028(F): The Windows Firewall Service was unable to parse the new security policy. The service will continue with currently enforced policy.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-5029.md b/windows/security/threat-protection/auditing/event-5029.md
index 46d9b7b3e7..6e8bfab573 100644
--- a/windows/security/threat-protection/auditing/event-5029.md
+++ b/windows/security/threat-protection/auditing/event-5029.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 5029(F): The Windows Firewall Service failed to initialize the driver. The service will continue to enforce the current policy.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
Windows logs an error if either the Windows Firewall service or its driver fails to start, or if they unexpectedly terminate. The error message indicates the cause of the service failure by including an error code in the text of the message.
diff --git a/windows/security/threat-protection/auditing/event-5030.md b/windows/security/threat-protection/auditing/event-5030.md
index de68bc30db..175e125235 100644
--- a/windows/security/threat-protection/auditing/event-5030.md
+++ b/windows/security/threat-protection/auditing/event-5030.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 5030(F): The Windows Firewall Service failed to start.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
Windows logs this event if the Windows Firewall service fails to start, or if it unexpectedly terminates. The error message indicates the cause of the service failure by including an error code in the text of the message.
diff --git a/windows/security/threat-protection/auditing/event-5031.md b/windows/security/threat-protection/auditing/event-5031.md
index df9881e050..8a10a69008 100644
--- a/windows/security/threat-protection/auditing/event-5031.md
+++ b/windows/security/threat-protection/auditing/event-5031.md
@@ -10,17 +10,12 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
+ms.date: 09/08/2021
ms.technology: mde
---
# 5031(F): The Windows Firewall Service blocked an application from accepting incoming connections on the network.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-- Windows Server 2012 R2
-- Windows Server 2012
-
diff --git a/windows/security/threat-protection/auditing/event-5032.md b/windows/security/threat-protection/auditing/event-5032.md
index a356c6ba72..235d9fd8d3 100644
--- a/windows/security/threat-protection/auditing/event-5032.md
+++ b/windows/security/threat-protection/auditing/event-5032.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 5032(F): Windows Firewall was unable to notify the user that it blocked an application from accepting incoming connections on the network.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
Windows Firewall with Advanced Security can be configured to notify the user when an application is blocked by the firewall, and ask if the application should continue to be blocked in the future.
diff --git a/windows/security/threat-protection/auditing/event-5033.md b/windows/security/threat-protection/auditing/event-5033.md
index 05552da629..e664ac846b 100644
--- a/windows/security/threat-protection/auditing/event-5033.md
+++ b/windows/security/threat-protection/auditing/event-5033.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 5033(S): The Windows Firewall Driver has started successfully.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-5034.md b/windows/security/threat-protection/auditing/event-5034.md
index 7cef4c54e0..e447aeb0e7 100644
--- a/windows/security/threat-protection/auditing/event-5034.md
+++ b/windows/security/threat-protection/auditing/event-5034.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 5034(S): The Windows Firewall Driver was stopped.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-5035.md b/windows/security/threat-protection/auditing/event-5035.md
index 6b9d8a9488..0bc400131b 100644
--- a/windows/security/threat-protection/auditing/event-5035.md
+++ b/windows/security/threat-protection/auditing/event-5035.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 5035(F): The Windows Firewall Driver failed to start.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
Windows logs this event if Windows Firewall driver fails to start, or if it unexpectedly terminates. The error message indicates the cause of the failure by including an error code in the text of the message.
diff --git a/windows/security/threat-protection/auditing/event-5037.md b/windows/security/threat-protection/auditing/event-5037.md
index a189ce3f21..c36c375902 100644
--- a/windows/security/threat-protection/auditing/event-5037.md
+++ b/windows/security/threat-protection/auditing/event-5037.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 5037(F): The Windows Firewall Driver detected critical runtime error. Terminating.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
Windows logs this event if Windows Firewall driver fails to start, or if it unexpectedly terminates. The error message indicates the cause of the failure by including an error code in the text of the message.
diff --git a/windows/security/threat-protection/auditing/event-5038.md b/windows/security/threat-protection/auditing/event-5038.md
index 2dc28bef2e..996a74d7b5 100644
--- a/windows/security/threat-protection/auditing/event-5038.md
+++ b/windows/security/threat-protection/auditing/event-5038.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 5038(F): Code integrity determined that the image hash of a file is not valid. The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
The file could be corrupt due to unauthorized modification or the invalid hash could indicate a potential disk device error.
diff --git a/windows/security/threat-protection/auditing/event-5039.md b/windows/security/threat-protection/auditing/event-5039.md
index fda19e5f16..09baf51880 100644
--- a/windows/security/threat-protection/auditing/event-5039.md
+++ b/windows/security/threat-protection/auditing/event-5039.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 5039(-): A registry key was virtualized.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
This event should be generated when registry key was virtualized using [LUAFV](https://blogs.msdn.com/b/alexcarp/archive/2009/06/25/the-deal-with-luafv-sys.aspx).
diff --git a/windows/security/threat-protection/auditing/event-5051.md b/windows/security/threat-protection/auditing/event-5051.md
index 3ac07671d2..e9e1bea6c6 100644
--- a/windows/security/threat-protection/auditing/event-5051.md
+++ b/windows/security/threat-protection/auditing/event-5051.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 5051(-): A file was virtualized.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
This event should be generated when file was virtualized using [LUAFV](https://blogs.msdn.com/b/alexcarp/archive/2009/06/25/the-deal-with-luafv-sys.aspx).
diff --git a/windows/security/threat-protection/auditing/event-5056.md b/windows/security/threat-protection/auditing/event-5056.md
index a717d05e4a..96af867108 100644
--- a/windows/security/threat-protection/auditing/event-5056.md
+++ b/windows/security/threat-protection/auditing/event-5056.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 5056(S): A cryptographic self-test was performed.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
This event generates in CNG Self-Test function. This function is a Cryptographic Next Generation (CNG) function.
diff --git a/windows/security/threat-protection/auditing/event-5057.md b/windows/security/threat-protection/auditing/event-5057.md
index c83ca8bd2e..5d686b4510 100644
--- a/windows/security/threat-protection/auditing/event-5057.md
+++ b/windows/security/threat-protection/auditing/event-5057.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 5057(F): A cryptographic primitive operation failed.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
This event generates in case of CNG primitive operation failure.
diff --git a/windows/security/threat-protection/auditing/event-5058.md b/windows/security/threat-protection/auditing/event-5058.md
index b351ee93e6..319ffe99f0 100644
--- a/windows/security/threat-protection/auditing/event-5058.md
+++ b/windows/security/threat-protection/auditing/event-5058.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 5058(S, F): Key file operation.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-5059.md b/windows/security/threat-protection/auditing/event-5059.md
index 5881e672d5..ff33eba467 100644
--- a/windows/security/threat-protection/auditing/event-5059.md
+++ b/windows/security/threat-protection/auditing/event-5059.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 5059(S, F): Key migration operation.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-5060.md b/windows/security/threat-protection/auditing/event-5060.md
index 11b9903d5d..23fa5c78d9 100644
--- a/windows/security/threat-protection/auditing/event-5060.md
+++ b/windows/security/threat-protection/auditing/event-5060.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 5060(F): Verification operation failed.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
This event generates when the Cryptographic Next Generation (CNG) verification operation fails.
diff --git a/windows/security/threat-protection/auditing/event-5061.md b/windows/security/threat-protection/auditing/event-5061.md
index 7612017713..919d66a79c 100644
--- a/windows/security/threat-protection/auditing/event-5061.md
+++ b/windows/security/threat-protection/auditing/event-5061.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 5061(S, F): Cryptographic operation.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-5062.md b/windows/security/threat-protection/auditing/event-5062.md
index e397844d41..242721afc4 100644
--- a/windows/security/threat-protection/auditing/event-5062.md
+++ b/windows/security/threat-protection/auditing/event-5062.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 5062(S): A kernel-mode cryptographic self-test was performed.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
This event occurs rarely, and in some situations may be difficult to reproduce.
diff --git a/windows/security/threat-protection/auditing/event-5063.md b/windows/security/threat-protection/auditing/event-5063.md
index e06e3118a6..020b7ebc4c 100644
--- a/windows/security/threat-protection/auditing/event-5063.md
+++ b/windows/security/threat-protection/auditing/event-5063.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 5063(S, F): A cryptographic provider operation was attempted.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
This event generates in BCryptUnregisterProvider() and BCryptRegisterProvider() functions. These are Cryptographic Next Generation (CNG) functions.
diff --git a/windows/security/threat-protection/auditing/event-5064.md b/windows/security/threat-protection/auditing/event-5064.md
index 077fadf9f7..2532a3b70b 100644
--- a/windows/security/threat-protection/auditing/event-5064.md
+++ b/windows/security/threat-protection/auditing/event-5064.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 5064(S, F): A cryptographic context operation was attempted.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
This event generates in [BCryptCreateContext](/windows/win32/api/bcrypt/nf-bcrypt-bcryptcreatecontext)() and [BCryptDeleteContext](/windows/win32/api/bcrypt/nf-bcrypt-bcryptdeletecontext)() functions. These are Cryptographic Next Generation (CNG) functions.
diff --git a/windows/security/threat-protection/auditing/event-5065.md b/windows/security/threat-protection/auditing/event-5065.md
index 3a64e39e7f..0bbc9ae5c7 100644
--- a/windows/security/threat-protection/auditing/event-5065.md
+++ b/windows/security/threat-protection/auditing/event-5065.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 5065(S, F): A cryptographic context modification was attempted.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
This event generates in [BCryptConfigureContext](/windows/win32/api/bcrypt/nf-bcrypt-bcryptconfigurecontext)() function. This is a Cryptographic Next Generation (CNG) function.
diff --git a/windows/security/threat-protection/auditing/event-5066.md b/windows/security/threat-protection/auditing/event-5066.md
index 52fca7414b..eebc61873d 100644
--- a/windows/security/threat-protection/auditing/event-5066.md
+++ b/windows/security/threat-protection/auditing/event-5066.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 5066(S, F): A cryptographic function operation was attempted.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
This event generates in [BCryptAddContextFunction](/windows/win32/api/bcrypt/nf-bcrypt-bcryptaddcontextfunction)() and [BCryptRemoveContextFunction](/windows/win32/api/bcrypt/nf-bcrypt-bcryptremovecontextfunction)() functions. These are Cryptographic Next Generation (CNG) functions.
diff --git a/windows/security/threat-protection/auditing/event-5067.md b/windows/security/threat-protection/auditing/event-5067.md
index 245b241e69..a3ca03be65 100644
--- a/windows/security/threat-protection/auditing/event-5067.md
+++ b/windows/security/threat-protection/auditing/event-5067.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 5067(S, F): A cryptographic function modification was attempted.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
This event generates in [BCryptConfigureContextFunction](/windows/win32/api/bcrypt/nf-bcrypt-bcryptconfigurecontextfunction)() function. This is a Cryptographic Next Generation (CNG) function.
diff --git a/windows/security/threat-protection/auditing/event-5068.md b/windows/security/threat-protection/auditing/event-5068.md
index 1cb02be991..645868eeca 100644
--- a/windows/security/threat-protection/auditing/event-5068.md
+++ b/windows/security/threat-protection/auditing/event-5068.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 5068(S, F): A cryptographic function provider operation was attempted.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
This event generates in BCryptAddContextFunctionProvider() and BCryptRemoveContextFunctionProvider() functions. These are Cryptographic Next Generation (CNG) functions.
diff --git a/windows/security/threat-protection/auditing/event-5069.md b/windows/security/threat-protection/auditing/event-5069.md
index 742188905d..50d95a9aff 100644
--- a/windows/security/threat-protection/auditing/event-5069.md
+++ b/windows/security/threat-protection/auditing/event-5069.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 5069(S, F): A cryptographic function property operation was attempted.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
This event generates in [BCryptSetContextFunctionProperty](/windows/win32/api/bcrypt/nf-bcrypt-bcryptsetcontextfunctionproperty)() function. This is a Cryptographic Next Generation (CNG) function.
diff --git a/windows/security/threat-protection/auditing/event-5070.md b/windows/security/threat-protection/auditing/event-5070.md
index 9893a7116b..e279ab685d 100644
--- a/windows/security/threat-protection/auditing/event-5070.md
+++ b/windows/security/threat-protection/auditing/event-5070.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 5070(S, F): A cryptographic function property modification was attempted.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
This event generates in [BCryptSetContextFunctionProperty](/windows/win32/api/bcrypt/nf-bcrypt-bcryptsetcontextfunctionproperty)() function. This is a Cryptographic Next Generation (CNG) function.
diff --git a/windows/security/threat-protection/auditing/event-5136.md b/windows/security/threat-protection/auditing/event-5136.md
index 1b62c11bab..d83424aac5 100644
--- a/windows/security/threat-protection/auditing/event-5136.md
+++ b/windows/security/threat-protection/auditing/event-5136.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 5136(S): A directory service object was modified.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-5137.md b/windows/security/threat-protection/auditing/event-5137.md
index 0146958e61..65f8370ad0 100644
--- a/windows/security/threat-protection/auditing/event-5137.md
+++ b/windows/security/threat-protection/auditing/event-5137.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 5137(S): A directory service object was created.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-5138.md b/windows/security/threat-protection/auditing/event-5138.md
index 2553251b75..4fa35c7f07 100644
--- a/windows/security/threat-protection/auditing/event-5138.md
+++ b/windows/security/threat-protection/auditing/event-5138.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 5138(S): A directory service object was undeleted.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-5139.md b/windows/security/threat-protection/auditing/event-5139.md
index c7f306eab0..43eacd93d9 100644
--- a/windows/security/threat-protection/auditing/event-5139.md
+++ b/windows/security/threat-protection/auditing/event-5139.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 5139(S): A directory service object was moved.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-5140.md b/windows/security/threat-protection/auditing/event-5140.md
index 199e5a4cd7..eb389fe767 100644
--- a/windows/security/threat-protection/auditing/event-5140.md
+++ b/windows/security/threat-protection/auditing/event-5140.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 5140(S, F): A network share object was accessed.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-5141.md b/windows/security/threat-protection/auditing/event-5141.md
index 7d85f444d4..8da8b7d590 100644
--- a/windows/security/threat-protection/auditing/event-5141.md
+++ b/windows/security/threat-protection/auditing/event-5141.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 5141(S): A directory service object was deleted.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-5142.md b/windows/security/threat-protection/auditing/event-5142.md
index d29c26ddc4..b72ef6d776 100644
--- a/windows/security/threat-protection/auditing/event-5142.md
+++ b/windows/security/threat-protection/auditing/event-5142.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 5142(S): A network share object was added.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-5143.md b/windows/security/threat-protection/auditing/event-5143.md
index bc8f827e03..d173059b23 100644
--- a/windows/security/threat-protection/auditing/event-5143.md
+++ b/windows/security/threat-protection/auditing/event-5143.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 5143(S): A network share object was modified.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-5144.md b/windows/security/threat-protection/auditing/event-5144.md
index 886dc70759..937bc39ce4 100644
--- a/windows/security/threat-protection/auditing/event-5144.md
+++ b/windows/security/threat-protection/auditing/event-5144.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 5144(S): A network share object was deleted.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-5145.md b/windows/security/threat-protection/auditing/event-5145.md
index 933ab84191..1bf796cf9f 100644
--- a/windows/security/threat-protection/auditing/event-5145.md
+++ b/windows/security/threat-protection/auditing/event-5145.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 5145(S, F): A network share object was checked to see whether client can be granted desired access.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-5148.md b/windows/security/threat-protection/auditing/event-5148.md
index 23a31eb1a6..1946129b9b 100644
--- a/windows/security/threat-protection/auditing/event-5148.md
+++ b/windows/security/threat-protection/auditing/event-5148.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 05/29/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 5148(F): The Windows Filtering Platform has detected a DoS attack and entered a defensive mode; packets associated with this attack will be discarded.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
In most circumstances, this event occurs very rarely. It is designed to be generated when an ICMP DoS attack starts or was detected.
diff --git a/windows/security/threat-protection/auditing/event-5149.md b/windows/security/threat-protection/auditing/event-5149.md
index 04f6c8747a..467c7145cc 100644
--- a/windows/security/threat-protection/auditing/event-5149.md
+++ b/windows/security/threat-protection/auditing/event-5149.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 05/29/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 5149(F): The DoS attack has subsided and normal processing is being resumed.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
In most circumstances, this event occurs very rarely. It is designed to be generated when an ICMP DoS attack ended.
diff --git a/windows/security/threat-protection/auditing/event-5150.md b/windows/security/threat-protection/auditing/event-5150.md
index 7e8b6a5cc1..9d9c830f21 100644
--- a/windows/security/threat-protection/auditing/event-5150.md
+++ b/windows/security/threat-protection/auditing/event-5150.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 5150(-): The Windows Filtering Platform blocked a packet.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
This event is logged if the Windows Filtering Platform [MAC filter](/windows-hardware/drivers/network/using-layer-2-filtering) blocked a packet.
diff --git a/windows/security/threat-protection/auditing/event-5151.md b/windows/security/threat-protection/auditing/event-5151.md
index 611541553e..6601b86883 100644
--- a/windows/security/threat-protection/auditing/event-5151.md
+++ b/windows/security/threat-protection/auditing/event-5151.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 5151(-): A more restrictive Windows Filtering Platform filter has blocked a packet.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
This event is logged if a more restrictive Windows Filtering Platform [MAC filter](/windows-hardware/drivers/network/using-layer-2-filtering) has blocked a packet.
diff --git a/windows/security/threat-protection/auditing/event-5152.md b/windows/security/threat-protection/auditing/event-5152.md
index cb8da40be3..d4bcbf8042 100644
--- a/windows/security/threat-protection/auditing/event-5152.md
+++ b/windows/security/threat-protection/auditing/event-5152.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 5152(F): The Windows Filtering Platform blocked a packet.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-5153.md b/windows/security/threat-protection/auditing/event-5153.md
index ce3f53f60d..eee4621b4d 100644
--- a/windows/security/threat-protection/auditing/event-5153.md
+++ b/windows/security/threat-protection/auditing/event-5153.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 5153(S): A more restrictive Windows Filtering Platform filter has blocked a packet.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
This event is logged if a more restrictive Windows Filtering Platform filter has blocked a packet.
diff --git a/windows/security/threat-protection/auditing/event-5154.md b/windows/security/threat-protection/auditing/event-5154.md
index ea9c8ea638..6d0b939b64 100644
--- a/windows/security/threat-protection/auditing/event-5154.md
+++ b/windows/security/threat-protection/auditing/event-5154.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 5154(S): The Windows Filtering Platform has permitted an application or service to listen on a port for incoming connections.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-5155.md b/windows/security/threat-protection/auditing/event-5155.md
index d00134db41..166520ef13 100644
--- a/windows/security/threat-protection/auditing/event-5155.md
+++ b/windows/security/threat-protection/auditing/event-5155.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 5155(F): The Windows Filtering Platform has blocked an application or service from listening on a port for incoming connections.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
By default Windows firewall won't prevent a port from being listened by an application. In the other word, Windows system will not generate Event 5155 by itself.
diff --git a/windows/security/threat-protection/auditing/event-5156.md b/windows/security/threat-protection/auditing/event-5156.md
index b7aa9709b2..d0af703c34 100644
--- a/windows/security/threat-protection/auditing/event-5156.md
+++ b/windows/security/threat-protection/auditing/event-5156.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 5156(S): The Windows Filtering Platform has permitted a connection.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-5157.md b/windows/security/threat-protection/auditing/event-5157.md
index 73d84e9d53..c20c64f670 100644
--- a/windows/security/threat-protection/auditing/event-5157.md
+++ b/windows/security/threat-protection/auditing/event-5157.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 5157(F): The Windows Filtering Platform has blocked a connection.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-5158.md b/windows/security/threat-protection/auditing/event-5158.md
index d863b08c36..f35938a490 100644
--- a/windows/security/threat-protection/auditing/event-5158.md
+++ b/windows/security/threat-protection/auditing/event-5158.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 5158(S): The Windows Filtering Platform has permitted a bind to a local port.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-5159.md b/windows/security/threat-protection/auditing/event-5159.md
index fb896131ac..95ac21b41a 100644
--- a/windows/security/threat-protection/auditing/event-5159.md
+++ b/windows/security/threat-protection/auditing/event-5159.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 5159(F): The Windows Filtering Platform has blocked a bind to a local port.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-5168.md b/windows/security/threat-protection/auditing/event-5168.md
index bb9371baff..5d1e8bf0d8 100644
--- a/windows/security/threat-protection/auditing/event-5168.md
+++ b/windows/security/threat-protection/auditing/event-5168.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 5168(F): SPN check for SMB/SMB2 failed.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-5376.md b/windows/security/threat-protection/auditing/event-5376.md
index 3cbb58cf29..1b77d59d7e 100644
--- a/windows/security/threat-protection/auditing/event-5376.md
+++ b/windows/security/threat-protection/auditing/event-5376.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 5376(S): Credential Manager credentials were backed up.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-5377.md b/windows/security/threat-protection/auditing/event-5377.md
index 3be670da7b..82af29b1d7 100644
--- a/windows/security/threat-protection/auditing/event-5377.md
+++ b/windows/security/threat-protection/auditing/event-5377.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 5377(S): Credential Manager credentials were restored from a backup.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-5378.md b/windows/security/threat-protection/auditing/event-5378.md
index 0025f40837..7880067fb3 100644
--- a/windows/security/threat-protection/auditing/event-5378.md
+++ b/windows/security/threat-protection/auditing/event-5378.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 5378(F): The requested credentials delegation was disallowed by policy.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-5447.md b/windows/security/threat-protection/auditing/event-5447.md
index 2b5c265e83..c7e89a3513 100644
--- a/windows/security/threat-protection/auditing/event-5447.md
+++ b/windows/security/threat-protection/auditing/event-5447.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 5447(S): A Windows Filtering Platform filter has been changed.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-5632.md b/windows/security/threat-protection/auditing/event-5632.md
index ad0e108238..fd3345a565 100644
--- a/windows/security/threat-protection/auditing/event-5632.md
+++ b/windows/security/threat-protection/auditing/event-5632.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 5632(S, F): A request was made to authenticate to a wireless network.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-5633.md b/windows/security/threat-protection/auditing/event-5633.md
index ba78854b75..d72afb75da 100644
--- a/windows/security/threat-protection/auditing/event-5633.md
+++ b/windows/security/threat-protection/auditing/event-5633.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 5633(S, F): A request was made to authenticate to a wired network.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-5712.md b/windows/security/threat-protection/auditing/event-5712.md
index 5bb81e6f09..48363c3beb 100644
--- a/windows/security/threat-protection/auditing/event-5712.md
+++ b/windows/security/threat-protection/auditing/event-5712.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 5712(S): A Remote Procedure Call (RPC) was attempted.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
It appears that this event never occurs.
diff --git a/windows/security/threat-protection/auditing/event-5888.md b/windows/security/threat-protection/auditing/event-5888.md
index 8d2ea38fcb..4a22ab0013 100644
--- a/windows/security/threat-protection/auditing/event-5888.md
+++ b/windows/security/threat-protection/auditing/event-5888.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 5888(S): An object in the COM+ Catalog was modified.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-5889.md b/windows/security/threat-protection/auditing/event-5889.md
index e3d65ee453..d0d9842512 100644
--- a/windows/security/threat-protection/auditing/event-5889.md
+++ b/windows/security/threat-protection/auditing/event-5889.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 5889(S): An object was deleted from the COM+ Catalog.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-5890.md b/windows/security/threat-protection/auditing/event-5890.md
index 9b7a9f515c..f7bf90b524 100644
--- a/windows/security/threat-protection/auditing/event-5890.md
+++ b/windows/security/threat-protection/auditing/event-5890.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 5890(S): An object was added to the COM+ Catalog.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-6144.md b/windows/security/threat-protection/auditing/event-6144.md
index 7565e8f794..0ed126dc60 100644
--- a/windows/security/threat-protection/auditing/event-6144.md
+++ b/windows/security/threat-protection/auditing/event-6144.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 6144(S): Security policy in the group policy objects has been applied successfully.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-6145.md b/windows/security/threat-protection/auditing/event-6145.md
index b70a0844a2..ff67ad627d 100644
--- a/windows/security/threat-protection/auditing/event-6145.md
+++ b/windows/security/threat-protection/auditing/event-6145.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/08/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 6145(F): One or more errors occurred while processing security policy in the group policy objects.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-6281.md b/windows/security/threat-protection/auditing/event-6281.md
index e6ec5bea59..28b9c2e509 100644
--- a/windows/security/threat-protection/auditing/event-6281.md
+++ b/windows/security/threat-protection/auditing/event-6281.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/09/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 6281(F): Code Integrity determined that the page hashes of an image file are not valid. The file could be improperly signed without page hashes or corrupt due to unauthorized modification. The invalid hashes could indicate a potential disk device error.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
The file could be improperly signed without page hashes or corrupt due to unauthorized modification. The invalid hashes could indicate a potential disk device error.
diff --git a/windows/security/threat-protection/auditing/event-6400.md b/windows/security/threat-protection/auditing/event-6400.md
index 511aeb3ae9..214d0c5b93 100644
--- a/windows/security/threat-protection/auditing/event-6400.md
+++ b/windows/security/threat-protection/auditing/event-6400.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/09/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 6400(-): BranchCache: Received an incorrectly formatted response while discovering availability of content.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
[BranchCache](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj127252(v=ws.11)) events are outside the scope of this document.
diff --git a/windows/security/threat-protection/auditing/event-6401.md b/windows/security/threat-protection/auditing/event-6401.md
index 829c3215c9..7ae7c5a3ab 100644
--- a/windows/security/threat-protection/auditing/event-6401.md
+++ b/windows/security/threat-protection/auditing/event-6401.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/09/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 6401(-): BranchCache: Received invalid data from a peer. Data discarded.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
[BranchCache](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj127252(v=ws.11)) events are outside the scope of this document.
diff --git a/windows/security/threat-protection/auditing/event-6402.md b/windows/security/threat-protection/auditing/event-6402.md
index 2aee0f9232..ca0ea21dbe 100644
--- a/windows/security/threat-protection/auditing/event-6402.md
+++ b/windows/security/threat-protection/auditing/event-6402.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/09/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 6402(-): BranchCache: The message to the hosted cache offering it data is incorrectly formatted.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
[BranchCache](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj127252(v=ws.11)) events are outside the scope of this document.
diff --git a/windows/security/threat-protection/auditing/event-6403.md b/windows/security/threat-protection/auditing/event-6403.md
index ec9028c852..dfa11c62ac 100644
--- a/windows/security/threat-protection/auditing/event-6403.md
+++ b/windows/security/threat-protection/auditing/event-6403.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/09/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 6403(-): BranchCache: The hosted cache sent an incorrectly formatted response to the client.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
[BranchCache](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj127252(v=ws.11)) events are outside the scope of this document.
diff --git a/windows/security/threat-protection/auditing/event-6404.md b/windows/security/threat-protection/auditing/event-6404.md
index eaa912b6e3..fb4bccd26f 100644
--- a/windows/security/threat-protection/auditing/event-6404.md
+++ b/windows/security/threat-protection/auditing/event-6404.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/09/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 6404(-): BranchCache: Hosted cache could not be authenticated using the provisioned SSL certificate.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
[BranchCache](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj127252(v=ws.11)) events are outside the scope of this document.
diff --git a/windows/security/threat-protection/auditing/event-6405.md b/windows/security/threat-protection/auditing/event-6405.md
index fc188cce3b..557c8ebabe 100644
--- a/windows/security/threat-protection/auditing/event-6405.md
+++ b/windows/security/threat-protection/auditing/event-6405.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/09/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 6405(-): BranchCache: %2 instance(s) of event id %1 occurred.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
[BranchCache](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj127252(v=ws.11)) events are outside the scope of this document.
diff --git a/windows/security/threat-protection/auditing/event-6406.md b/windows/security/threat-protection/auditing/event-6406.md
index 689085b2fd..dbaeb0e873 100644
--- a/windows/security/threat-protection/auditing/event-6406.md
+++ b/windows/security/threat-protection/auditing/event-6406.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/09/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 6406(-): %1 registered to Windows Firewall to control filtering for the following: %2.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
[BranchCache](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj127252(v=ws.11)) events are outside the scope of this document.
diff --git a/windows/security/threat-protection/auditing/event-6407.md b/windows/security/threat-protection/auditing/event-6407.md
index 3273efaba1..28612dacba 100644
--- a/windows/security/threat-protection/auditing/event-6407.md
+++ b/windows/security/threat-protection/auditing/event-6407.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/09/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 6407(-): 1%.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
[BranchCache](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj127252(v=ws.11)) events are outside the scope of this document.
diff --git a/windows/security/threat-protection/auditing/event-6408.md b/windows/security/threat-protection/auditing/event-6408.md
index 7b29a0468c..c36f520a60 100644
--- a/windows/security/threat-protection/auditing/event-6408.md
+++ b/windows/security/threat-protection/auditing/event-6408.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/09/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 6408(-): Registered product %1 failed and Windows Firewall is now controlling the filtering for %2.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
[BranchCache](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj127252(v=ws.11)) events are outside the scope of this document.
diff --git a/windows/security/threat-protection/auditing/event-6409.md b/windows/security/threat-protection/auditing/event-6409.md
index 6855ea810d..1ac08c75f1 100644
--- a/windows/security/threat-protection/auditing/event-6409.md
+++ b/windows/security/threat-protection/auditing/event-6409.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/09/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 6409(-): BranchCache: A service connection point object could not be parsed.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
[BranchCache](/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/jj127252(v=ws.11)) events are outside the scope of this document.
diff --git a/windows/security/threat-protection/auditing/event-6410.md b/windows/security/threat-protection/auditing/event-6410.md
index a306a98882..a9f5e5111f 100644
--- a/windows/security/threat-protection/auditing/event-6410.md
+++ b/windows/security/threat-protection/auditing/event-6410.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/09/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 6410(F): Code integrity determined that a file does not meet the security requirements to load into a process.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
[Code Integrity](/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/dd348642(v=ws.10)) is a feature that improves the security of the operating system by validating the integrity of a driver or system file each time it is loaded into memory. Code Integrity detects whether an unsigned driver or system file is being loaded into the kernel, or whether a system file has been modified by malicious software that is being run by a user account with administrative permissions. On x64-based versions of the operating system, kernel-mode drivers must be digitally signed.
diff --git a/windows/security/threat-protection/auditing/event-6416.md b/windows/security/threat-protection/auditing/event-6416.md
index 4b85673aa7..337a5395be 100644
--- a/windows/security/threat-protection/auditing/event-6416.md
+++ b/windows/security/threat-protection/auditing/event-6416.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/09/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 6416(S): A new external device was recognized by the System.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-6419.md b/windows/security/threat-protection/auditing/event-6419.md
index 90c145ff77..69a6f30def 100644
--- a/windows/security/threat-protection/auditing/event-6419.md
+++ b/windows/security/threat-protection/auditing/event-6419.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/09/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 6419(S): A request was made to disable a device.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-6420.md b/windows/security/threat-protection/auditing/event-6420.md
index 51570d3ab3..3a2dc5c9d9 100644
--- a/windows/security/threat-protection/auditing/event-6420.md
+++ b/windows/security/threat-protection/auditing/event-6420.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/09/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 6420(S): A device was disabled.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-6421.md b/windows/security/threat-protection/auditing/event-6421.md
index ef4e0b856f..8ac5372312 100644
--- a/windows/security/threat-protection/auditing/event-6421.md
+++ b/windows/security/threat-protection/auditing/event-6421.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/09/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 6421(S): A request was made to enable a device.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-6422.md b/windows/security/threat-protection/auditing/event-6422.md
index 2b2f45d1b8..7e577f25c3 100644
--- a/windows/security/threat-protection/auditing/event-6422.md
+++ b/windows/security/threat-protection/auditing/event-6422.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/09/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 6422(S): A device was enabled.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-6423.md b/windows/security/threat-protection/auditing/event-6423.md
index 3332a01011..5f8278b20e 100644
--- a/windows/security/threat-protection/auditing/event-6423.md
+++ b/windows/security/threat-protection/auditing/event-6423.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/09/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 6423(S): The installation of this device is forbidden by system policy.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
diff --git a/windows/security/threat-protection/auditing/event-6424.md b/windows/security/threat-protection/auditing/event-6424.md
index 8ca1ce36d6..ba3fcbffe7 100644
--- a/windows/security/threat-protection/auditing/event-6424.md
+++ b/windows/security/threat-protection/auditing/event-6424.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: none
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/09/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# 6424(S): The installation of this device was allowed, after having previously been forbidden by policy.
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
This event occurs rarely, and in some situations may be difficult to reproduce.
diff --git a/windows/security/threat-protection/auditing/file-system-global-object-access-auditing.md b/windows/security/threat-protection/auditing/file-system-global-object-access-auditing.md
index 1093140e38..9c7941df2b 100644
--- a/windows/security/threat-protection/auditing/file-system-global-object-access-auditing.md
+++ b/windows/security/threat-protection/auditing/file-system-global-object-access-auditing.md
@@ -14,14 +14,12 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/19/2017
+ms.date: 09/09/2021
ms.technology: mde
---
# File System (Global Object Access Auditing)
-**Applies to**
-- Windows 10
This topic for the IT professional describes the Advanced Security Audit policy setting, **File System (Global Object Access Auditing)**, which enables you to configure a global system access control list (SACL) on the file system for an entire computer.
diff --git a/windows/security/threat-protection/auditing/how-to-list-xml-elements-in-eventdata.md b/windows/security/threat-protection/auditing/how-to-list-xml-elements-in-eventdata.md
index 1efc819647..cc3bf79488 100644
--- a/windows/security/threat-protection/auditing/how-to-list-xml-elements-in-eventdata.md
+++ b/windows/security/threat-protection/auditing/how-to-list-xml-elements-in-eventdata.md
@@ -7,7 +7,7 @@ ms.sitesec: library
ms.pagetype: security
ms.localizationpriority: medium
author: dansimp
-ms.date: 10/22/2018
+ms.date: 09/09/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,8 +16,6 @@ ms.technology: mde
# How to get a list of XML data name elements in EventData
-**Applies to**
-- Windows 10
The Security log uses a manifest where you can get all of the event schema.
diff --git a/windows/security/threat-protection/auditing/monitor-central-access-policy-and-rule-definitions.md b/windows/security/threat-protection/auditing/monitor-central-access-policy-and-rule-definitions.md
index 3c07a1dae0..c446bdec67 100644
--- a/windows/security/threat-protection/auditing/monitor-central-access-policy-and-rule-definitions.md
+++ b/windows/security/threat-protection/auditing/monitor-central-access-policy-and-rule-definitions.md
@@ -14,14 +14,12 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/19/2017
+ms.date: 09/09/2021
ms.technology: mde
---
# Monitor central access policy and rule definitions
-**Applies to**
-- Windows 10
This article for IT professionals describes how to monitor changes to central access policy and central access rule definitions when you use advanced security auditing options to monitor dynamic access control objects.
diff --git a/windows/security/threat-protection/auditing/monitor-claim-types.md b/windows/security/threat-protection/auditing/monitor-claim-types.md
index baf7d9e8a7..b9e1ea714f 100644
--- a/windows/security/threat-protection/auditing/monitor-claim-types.md
+++ b/windows/security/threat-protection/auditing/monitor-claim-types.md
@@ -14,14 +14,12 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/19/2017
+ms.date: 09/09/2021
ms.technology: mde
---
# Monitor claim types
-**Applies to**
-- Windows 10
This topic for the IT professional describes how to monitor changes to claim types that are associated with dynamic access control when you are using advanced security auditing options.
diff --git a/windows/security/threat-protection/auditing/monitor-resource-attribute-definitions.md b/windows/security/threat-protection/auditing/monitor-resource-attribute-definitions.md
index ed4d03037f..791549bb4f 100644
--- a/windows/security/threat-protection/auditing/monitor-resource-attribute-definitions.md
+++ b/windows/security/threat-protection/auditing/monitor-resource-attribute-definitions.md
@@ -14,14 +14,12 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/19/2017
+ms.date: 09/09/2021
ms.technology: mde
---
# Monitor resource attribute definitions
-**Applies to**
-- Windows 10
This topic for the IT professional describes how to monitor changes to resource attribute definitions when you are using advanced security auditing options to monitor dynamic access control objects.
Resource attribute definitions define the basic properties of resource attributes, such as what it means for a resource to be defined as “high business value.” Resource attribute definitions are stored in AD DS under the Resource Properties container. Changes to these definitions could significantly change the protections that govern a resource, even if the resource attributes that apply to the resource remain unchanged. Changes can be monitored like any other AD DS object.
diff --git a/windows/security/threat-protection/auditing/monitor-the-central-access-policies-associated-with-files-and-folders.md b/windows/security/threat-protection/auditing/monitor-the-central-access-policies-associated-with-files-and-folders.md
index f034f7c0fc..ece759aeb6 100644
--- a/windows/security/threat-protection/auditing/monitor-the-central-access-policies-associated-with-files-and-folders.md
+++ b/windows/security/threat-protection/auditing/monitor-the-central-access-policies-associated-with-files-and-folders.md
@@ -14,14 +14,12 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/19/2017
+ms.date: 09/09/2021
ms.technology: mde
---
# Monitor the central access policies associated with files and folders
-**Applies to**
-- Windows 10
This article for IT professionals describes how to monitor changes to the central access policies that are associated with files and folders when you're using advanced security auditing options to monitor dynamic access control objects.
diff --git a/windows/security/threat-protection/auditing/monitor-the-central-access-policies-that-apply-on-a-file-server.md b/windows/security/threat-protection/auditing/monitor-the-central-access-policies-that-apply-on-a-file-server.md
index 12dedf0d60..2d50a5c7db 100644
--- a/windows/security/threat-protection/auditing/monitor-the-central-access-policies-that-apply-on-a-file-server.md
+++ b/windows/security/threat-protection/auditing/monitor-the-central-access-policies-that-apply-on-a-file-server.md
@@ -14,14 +14,12 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/19/2017
+ms.date: 09/09/2021
ms.technology: mde
---
# Monitor the central access policies that apply on a file server
-**Applies to**
-- Windows 10
This article describes how to monitor changes to the central access policies (CAPs) that apply to a file server when using advanced security auditing options to monitor dynamic access control objects. CAPs are created on a domain controller and then applied to file servers through Group Policy management.
diff --git a/windows/security/threat-protection/auditing/monitor-the-resource-attributes-on-files-and-folders.md b/windows/security/threat-protection/auditing/monitor-the-resource-attributes-on-files-and-folders.md
index f1676a1640..f223b3433d 100644
--- a/windows/security/threat-protection/auditing/monitor-the-resource-attributes-on-files-and-folders.md
+++ b/windows/security/threat-protection/auditing/monitor-the-resource-attributes-on-files-and-folders.md
@@ -14,14 +14,12 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/19/2017
+ms.date: 09/09/2021
ms.technology: mde
---
# Monitor the resource attributes on files and folders
-**Applies to**
-- Windows 10
This topic for the IT professional describes how to monitor attempts to change settings to the resource attributes on files when you are using advanced security auditing options to monitor dynamic access control objects.
diff --git a/windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices.md b/windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices.md
index 04ac1c7929..af897bbd62 100644
--- a/windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices.md
+++ b/windows/security/threat-protection/auditing/monitor-the-use-of-removable-storage-devices.md
@@ -14,14 +14,12 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date:
+ms.date: 09/09/2021
ms.technology: mde
---
# Monitor the use of removable storage devices
-**Applies to**
-- Windows 10
This topic for the IT professional describes how to monitor attempts to use removable storage devices to access network resources. It describes how to use advanced security auditing options to monitor dynamic access control objects.
diff --git a/windows/security/threat-protection/auditing/monitor-user-and-device-claims-during-sign-in.md b/windows/security/threat-protection/auditing/monitor-user-and-device-claims-during-sign-in.md
index edaf8e590f..7f950dd7b1 100644
--- a/windows/security/threat-protection/auditing/monitor-user-and-device-claims-during-sign-in.md
+++ b/windows/security/threat-protection/auditing/monitor-user-and-device-claims-during-sign-in.md
@@ -14,14 +14,12 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/19/2017
+ms.date: 09/09/2021
ms.technology: mde
---
# Monitor user and device claims during sign-in
-**Applies to**
-- Windows 10
This topic for the IT professional describes how to monitor user and device claims that are associated with a user’s security token when you are using advanced security auditing options to monitor dynamic access control objects.
diff --git a/windows/security/threat-protection/auditing/other-events.md b/windows/security/threat-protection/auditing/other-events.md
index e74cf80553..a54f6a6f1c 100644
--- a/windows/security/threat-protection/auditing/other-events.md
+++ b/windows/security/threat-protection/auditing/other-events.md
@@ -7,7 +7,7 @@ ms.mktglfcycl: deploy
ms.sitesec: library
ms.localizationpriority: medium
author: dansimp
-ms.date: 04/19/2017
+ms.date: 09/09/2021
ms.reviewer:
manager: dansimp
ms.author: dansimp
@@ -16,10 +16,6 @@ ms.technology: mde
# Other Events
-**Applies to**
-- Windows 10
-- Windows Server 2016
-
Events in this section generate automatically and are enabled by default.
diff --git a/windows/security/threat-protection/auditing/planning-and-deploying-advanced-security-audit-policies.md b/windows/security/threat-protection/auditing/planning-and-deploying-advanced-security-audit-policies.md
index 068c8792d4..d47efbedbf 100644
--- a/windows/security/threat-protection/auditing/planning-and-deploying-advanced-security-audit-policies.md
+++ b/windows/security/threat-protection/auditing/planning-and-deploying-advanced-security-audit-policies.md
@@ -14,14 +14,12 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/19/2017
+ms.date: 09/09/2021
ms.technology: mde
---
# Plan and deploy advanced security audit policies
-**Applies to**
-- Windows 10
This article for IT professionals explains the options that security policy planners should consider and the tasks they must complete to deploy an effective security audit policy in a network that includes advanced security audit policies.
diff --git a/windows/security/threat-protection/auditing/registry-global-object-access-auditing.md b/windows/security/threat-protection/auditing/registry-global-object-access-auditing.md
index 3c5c1ece1e..a01a3a3514 100644
--- a/windows/security/threat-protection/auditing/registry-global-object-access-auditing.md
+++ b/windows/security/threat-protection/auditing/registry-global-object-access-auditing.md
@@ -14,14 +14,12 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/19/2017
+ms.date: 09/09/2021
ms.technology: mde
---
# Registry (Global Object Access Auditing)
-**Applies to**
-- Windows 10
This topic for the IT professional describes the Advanced Security Audit policy setting, **Registry (Global Object Access Auditing)**, which enables you to configure a global system access control list (SACL) on the registry of a computer.
diff --git a/windows/security/threat-protection/auditing/security-auditing-overview.md b/windows/security/threat-protection/auditing/security-auditing-overview.md
index ec89d5ef53..fb1184eed7 100644
--- a/windows/security/threat-protection/auditing/security-auditing-overview.md
+++ b/windows/security/threat-protection/auditing/security-auditing-overview.md
@@ -14,14 +14,12 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/19/2017
+ms.date: 09/09/2021
ms.technology: mde
---
# Security auditing
-**Applies to**
-- Windows 10
Topics in this section are for IT professionals and describes the security auditing features in Windows and how your organization can benefit from using these technologies to enhance the security and manageability of your network.
diff --git a/windows/security/threat-protection/auditing/using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md b/windows/security/threat-protection/auditing/using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md
index 6e90c989e0..dd8bb6516d 100644
--- a/windows/security/threat-protection/auditing/using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md
+++ b/windows/security/threat-protection/auditing/using-advanced-security-auditing-options-to-monitor-dynamic-access-control-objects.md
@@ -14,14 +14,12 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/19/2017
+ms.date: 09/09/2021
ms.technology: mde
---
# Using advanced security auditing options to monitor dynamic access control objects
-**Applies to**
-- Windows 10
This guide explains the process of setting up advanced security auditing capabilities that are made possible through settings and events that were introduced in Windows 8 and Windows Server 2012.
diff --git a/windows/security/threat-protection/auditing/view-the-security-event-log.md b/windows/security/threat-protection/auditing/view-the-security-event-log.md
index 84a296e182..5b89a3802e 100644
--- a/windows/security/threat-protection/auditing/view-the-security-event-log.md
+++ b/windows/security/threat-protection/auditing/view-the-security-event-log.md
@@ -14,14 +14,12 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/19/2017
+ms.date: 09/09/2021
ms.technology: mde
---
# View the security event log
-**Applies to**
-- Windows 10
The security log records each event as defined by the audit policies you set on each object.
diff --git a/windows/security/threat-protection/auditing/which-editions-of-windows-support-advanced-audit-policy-configuration.md b/windows/security/threat-protection/auditing/which-editions-of-windows-support-advanced-audit-policy-configuration.md
index 4b20841dd8..8e1db3e1b0 100644
--- a/windows/security/threat-protection/auditing/which-editions-of-windows-support-advanced-audit-policy-configuration.md
+++ b/windows/security/threat-protection/auditing/which-editions-of-windows-support-advanced-audit-policy-configuration.md
@@ -14,14 +14,12 @@ manager: dansimp
audience: ITPro
ms.collection: M365-security-compliance
ms.topic: conceptual
-ms.date: 04/19/2017
+ms.date: 09/09/2021
ms.technology: mde
---
# Which editions of Windows support advanced audit policy configuration
-**Applies to**
-- Windows 10
Advanced audit policy configuration is supported on all versions of Windows since it was introduced in Windows Vista.
There is no difference in security auditing support between 32-bit and 64-bit versions.
diff --git a/windows/security/threat-protection/block-untrusted-fonts-in-enterprise.md b/windows/security/threat-protection/block-untrusted-fonts-in-enterprise.md
index c1ffec9b59..3fff0198ed 100644
--- a/windows/security/threat-protection/block-untrusted-fonts-in-enterprise.md
+++ b/windows/security/threat-protection/block-untrusted-fonts-in-enterprise.md
@@ -13,7 +13,7 @@ author: dansimp
ms.author: dansimp
ms.date: 08/14/2017
ms.localizationpriority: medium
-ms.technology: mde
+ms.technology: other
---
# Block untrusted fonts in an enterprise
diff --git a/windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md b/windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md
index 4065b2122a..3112632b29 100644
--- a/windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md
+++ b/windows/security/threat-protection/device-guard/requirements-and-deployment-planning-guidelines-for-virtualization-based-protection-of-code-integrity.md
@@ -1,6 +1,6 @@
---
title: Deployment guidelines for Windows Defender Device Guard (Windows 10)
-description: Plan your deployment of Windows Defender Device Guard. Learn about hardware requirements, deployment approaches, code signing and code integrity policies.
+description: Plan your deployment of Hypervisor-Protected Code Integrity (aka Memory Integrity). Learn about hardware requirements, deployment approaches, code signing and code integrity policies.
keywords: virtualization, security, malware
ms.prod: m365-security
ms.mktglfcycl: deploy
@@ -21,14 +21,14 @@ ms.technology: mde
**Applies to**
- Windows 10
-Computers must meet certain hardware, firmware, and software requirements in order to take advantage of all of the virtualization-based security (VBS) features in [Windows Defender Device Guard](../device-guard/introduction-to-device-guard-virtualization-based-security-and-windows-defender-application-control.md). Computers lacking these requirements can still be protected by Windows Defender Application Control (WDAC) policies—the difference is that those computers will not be as hardened against certain threats.
+Computers must meet certain hardware, firmware, and software requirements in order to take advantage of Hypervisor-Protected Code Integrity (HVCI), a virtualization-based security (VBS) feature in Windows. HVCI is referred to as Memory Integrity under the Core Isolation section of the Windows security settings. Computers lacking these requirements can still be protected by Windows Defender Application Control (WDAC) policies—the difference is that those computers will not be as hardened against certain threats.
For example, hardware that includes CPU virtualization extensions and SLAT will be hardened against malware that attempts to gain access to the kernel, but without protected BIOS options such as “Boot only from internal hard drive,” the computer could be booted (by a malicious person who has physical access) into an operating system on bootable media.
> [!WARNING]
> Virtualization-based protection of code integrity may be incompatible with some devices and applications. We strongly recommend testing this configuration in your lab before enabling virtualization-based protection of code integrity on production systems. Failure to do so may result in unexpected failures up to and including data loss or a blue screen error (also called a stop error).
-The following tables provide more information about the hardware, firmware, and software required for deployment of various Windows Defender Device Guard features. The tables describe baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, 2016, and 2017.
+The following tables provide more information about the hardware, firmware, and software required for deployment of WDAC and HVCI. The tables describe baseline protections, plus protections for improved security that are associated with hardware and firmware options available in 2015, 2016, and 2017.
> [!NOTE]
> Beginning with Windows 10, version 1607, Trusted Platform Module (TPM 2.0) must be enabled by default on new computers.
@@ -42,9 +42,9 @@ The following tables provide more information about the hardware, firmware, and
| Firmware: **UEFI firmware version 2.3.1.c or higher with UEFI Secure Boot** | See the System.Fundamentals.Firmware.UEFISecureBoot requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Systems download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](/windows-hardware/design/compatibility/whcp-specifications-policies). | UEFI Secure Boot helps ensure that the device boots only authorized code. This can prevent boot kits and root kits from installing and persisting across reboots. |
| Firmware: **Secure firmware update process** | UEFI firmware must support secure firmware update found under the System.Fundamentals.Firmware.UEFISecureBoot requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Systems download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](/windows-hardware/design/compatibility/whcp-specifications-policies). | UEFI firmware just like software can have security vulnerabilities that, when found, need to be patched through firmware updates. Patching helps prevent root kits from getting installed. |
| Software: **HVCI compatible drivers** | See the Filter.Driver.DeviceGuard.DriverCompatibility requirement in the [Windows Hardware Compatibility Specifications for Windows 10, version 1809 and Windows Server 2019 - Filter driver download](https://go.microsoft.com/fwlink/?linkid=2027110). You can find previous versions of the Windows Hardware Compatibility Program Specifications and Policies [here](/windows-hardware/design/compatibility/whcp-specifications-policies). | [HVCI Compatible](https://blogs.msdn.microsoft.com/windows_hardware_certification/2015/05/22/driver-compatibility-with-device-guard-in-windows-10/) drivers help ensure that VBS can maintain appropriate memory permissions. This increases resistance to bypassing vulnerable kernel drivers and helps ensure that malware cannot run in kernel. Only code verified through code integrity can run in kernel mode. |
-| Software: Qualified **Windows operating system** | Windows 10 Enterprise, Windows 10 Pro, Windows 10 Education, Windows Server 2016, or Windows 10 IoT Enterprise
| Support for VBS and for management features that simplify configuration of Windows Defender Device Guard. |
+| Software: Qualified **Windows operating system** | Windows 10 Enterprise, Windows 10 Pro, Windows 10 Education, Windows Server 2016, or Windows 10 IoT Enterprise
Windows Server 2016 running as a domain controller does not support Windows Defender Credential Guard. Only virtualization-based protection of code integrity is supported in this configuration.
| Support for VBS and for management features. |
-> **Important** The following tables list additional qualifications for improved security. You can use Windows Defender Device Guard with hardware, firmware, and software that support baseline protections, even if they do not support protections for improved security. However, we strongly recommend meeting these additional qualifications to significantly strengthen the level of security that Windows Defender Device Guard can provide.
+> **Important** The following tables list additional qualifications for improved security. You can use WDAC and HVCI with hardware, firmware, and software that support baseline protections, even if they do not support protections for improved security. However, we strongly recommend meeting these additional qualifications to significantly strengthen the level of security that WDAC and HVCI can provide.
## Additional qualifications for improved security
@@ -76,4 +76,4 @@ The following tables describe additional hardware and firmware qualifications, a
| Protections for Improved Security | Description | Security benefits |
|---------------------------------------------|----------------------------------------------------|------|
| Firmware: **VBS enablement of NX protection for UEFI runtime services** | • VBS will enable No-Execute (NX) protection on UEFI runtime service code and data memory regions. UEFI runtime service code must support read-only page protections, and UEFI runtime service data must not be executable.
Windows Server 2016 running as a domain controller does not support Windows Defender Credential Guard. Only virtualization-based protection of code integrity is supported in this configuration.
• UEFI runtime service must meet these requirements:
• Implement UEFI 2.6 EFI_MEMORY_ATTRIBUTES_TABLE. All UEFI runtime service memory (code and data) must be described by this table.
• PE sections need to be page-aligned in memory (not required for in non-volitile storage).
• The Memory Attributes Table needs to correctly mark code and data as RO/NX for configuration by the OS:
• All entries must include attributes EFI_MEMORY_RO, EFI_MEMORY_XP, or both
• No entries may be left with neither of the above attributes, indicating memory that is both executable and writable. Memory must be either readable and executable or writeable and non-executable.
• This only applies to UEFI runtime service memory, and not UEFI boot service memory.
• This protection is applied by VBS on OS page tables.
Please also note the following:
• Do not use sections that are both writeable and executable
• Do not attempt to directly modify executable system memory
• Do not use dynamic code | • Vulnerabilities in UEFI runtime, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
• Reduces the attack surface to VBS from system firmware. |
-| Firmware: **Firmware support for SMM protection** | The [Windows SMM Security Mitigations Table (WSMT) specification](https://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an Advanced Configuration and Power Interface (ACPI) table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features.| • Protects against potential vulnerabilities in UEFI runtime services, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
• Reduces the attack surface to VBS from system firmware.
• Blocks additional security attacks against SMM. |
\ No newline at end of file
+| Firmware: **Firmware support for SMM protection** | The [Windows SMM Security Mitigations Table (WSMT) specification](https://download.microsoft.com/download/1/8/A/18A21244-EB67-4538-BAA2-1A54E0E490B6/WSMT.docx) contains details of an Advanced Configuration and Power Interface (ACPI) table that was created for use with Windows operating systems that support Windows virtualization-based security (VBS) features.| • Protects against potential vulnerabilities in UEFI runtime services, if any, will be blocked from compromising VBS (such as in functions like UpdateCapsule and SetVariable)
• Reduces the attack surface to VBS from system firmware.
• Blocks additional security attacks against SMM. |
diff --git a/windows/security/threat-protection/fips-140-validation.md b/windows/security/threat-protection/fips-140-validation.md
index cbcb5ff098..fc40dc48df 100644
--- a/windows/security/threat-protection/fips-140-validation.md
+++ b/windows/security/threat-protection/fips-140-validation.md
@@ -10,7 +10,7 @@ ms.collection: M365-identity-device-management
ms.topic: article
ms.localizationpriority: medium
ms.reviewer:
-ms.technology: mde
+ms.technology: other
---
# FIPS 140-2 Validation
@@ -102,10 +102,10 @@ Validated Editions: Home, Pro, Enterprise, Education
@@ -172,10 +172,10 @@ Validated Editions: Home, Pro, Enterprise, Education
@@ -236,10 +236,10 @@ Validated Editions: Home, Pro, Enterprise, Education, S, Surface Hub, Mobile
@@ -305,11 +305,11 @@ Validated Editions: Home, Pro, Enterprise, Education, S, Surface Hub, Mobile
Validated Editions: Home, Pro, Enterprise, Education, S, Surface Hub, Mobile
-
@@ -393,10 +393,10 @@ Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile
@@ -486,10 +486,10 @@ Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile, Surface Hub
@@ -584,10 +584,10 @@ Validated Editions: Home, Pro, Enterprise, Enterprise LTSB, Mobile, and Surface
@@ -682,10 +682,10 @@ Validated Editions: RT, Pro, Enterprise, Phone, Embedded
@@ -861,10 +861,10 @@ Validated Editions: Windows 7, Windows 7 SP1
@@ -985,10 +985,10 @@ Validated Editions: Ultimate Edition
@@ -1103,10 +1103,10 @@ Validated Editions: Ultimate Edition
@@ -1144,10 +1144,10 @@ Validated Editions: Ultimate Edition
@@ -1178,10 +1178,10 @@ Validated Editions: Ultimate Edition
@@ -1205,10 +1205,10 @@ Validated Editions: Ultimate Edition
@@ -1232,10 +1232,10 @@ Validated Editions: Ultimate Edition
@@ -1269,10 +1269,10 @@ Validated Editions: Ultimate Edition
@@ -1310,10 +1310,10 @@ Validated Editions: Ultimate Edition
@@ -1340,10 +1340,10 @@ Validated Editions: Ultimate Edition
@@ -1367,10 +1367,10 @@ Validated Editions: Ultimate Edition
@@ -1419,10 +1419,10 @@ Validated Editions: Standard, Datacenter
@@ -1489,10 +1489,10 @@ Validated Editions: Standard, Datacenter
@@ -1553,10 +1553,10 @@ Validated Editions: Standard, Datacenter
@@ -1623,10 +1623,10 @@ Validated Editions: Standard, Datacenter, Storage Server
@@ -2024,10 +2024,10 @@ Validated Editions: Server, Storage Server